Dag Richards wrote:
> Um no, it wont work. Once the traffic is encrypted you will no longer be
> able to nat it. The original packet is now and encrypted blob that is
> the payload of a new packet with a source of your gateway and dest their
> GW. you can nat the wrapper packet but not the payload.
Just a thought: how about building the tunnel for the nat-ed network
only? In this case something along the lines of:
ipsec.conf:
flow esp from 10.110.40.0/24 to 10.110.10.0/24 peer $remote_gw
[...]
and
pf.conf
nat on $int_if from 192.168.45.0/24 to 10.110.10.0/24 -> 10.110.40.0/24
source-hash
[...]
The packet would then have to be reinserted at a point before the
encryption decision is made ... I'm not sure if this is possible at all
... if there's a way to redirect the packet to the internal interface
again, as if it were just arriving, it should be, though ...
krgds /markus
