Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Um no, it wont work. Once the traffic is encrypted you will
no longer be
able to nat it. The original packet is now and encrypted
blob that is
the payload of a new packet with a source of your gateway and
dest their
GW. you can nat the wrapper packet but not the payload.
I have 2x ibm x series somethings for fw's, and 2x hp dl360s for vpn
servers all running 3.9.
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C. /etc/hostname.if alias for the binat IP
D. isakmpd.conf uses public IP (A) for phase 1, and (B internal client nat) for
phase 2
Just to be clear here, I'll try and explain in greater detail.
I have a host with IP 10.225.10.10.
The remote network is 10.40.10.0/24.
The remote network insists that my internal host be on the 10.50.10.0/24
network. In a perfect world, I'd just renumber on my end, or get him to
accept my internal network, but he won't do that. So I have to NAT my
internal network to a private IP that fits his addressing scheme.
I need to NAT 10.225.10.10 so that it will appear as 10.50.10.10 in the
remote peer's tunnel.
If NAT happens before encryption, then this should be possible.
If NAT happens after encryption, I have a problem, and an alias doesn't
look like it's going to help.
Feedback?
-Stephen-
