> Roy, > > I tried for weeks to get this to work and eventually > abandonned the idea > due to a deadline to just get it working. I ended up > sticking another > cheap box (P133) in front of the box doing IPSEC and > performing NAT on > there. Then I would create IP aliases on the NAT box as well > as the IPSEC > box for those cases and that worked fine. > > Problem is that the OpenBSD kernel does IPSEC flow processing > before it > does NAT. So if you try to do both on the same box your packets will > not match your defined IPSEC SA because they have not yet been > NAT'd in which case they will just be dropped by the kernel.
Thanks for the reply Matt, In the end I was ABLE to get it all working. I am just running it through some tests now, but it seems fine. Cheers! roy