On 2020-11-16, Ian Timothy <i...@thrivedata.it> wrote:
> int_if = "em0"
>
> ext_if = "em1"
> ext_net = "23.X.X.128/29"
>
> gateway_ip_ext = "{ 23.X.X.129 }"
> gateway_ip_int = "{ 10.0.0.1 }"
>
> set skip on {lo, enc0}
>
> block return # block stateless traffic
> pass # establish keep-state
>
> pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)
...also you only nat for em0:network which doesn't cover your vpn range
>
>
> # --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---
>
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> net.inet.esp.udpencap=1
>
>
>
>
>
>
