On Wed, 28 Jun 2006, Stephen Bosch wrote:
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C. /etc/hostname.if alias for the binat IP
D. isakmpd.conf uses public IP (A) for phase 1, and (B internal client nat)
for phase 2
I've had a closer look at this...
In my case, the other peer expects a private IP on my internal network. Your
directions involve an alias. Do I need this alias?
Can I not just nat on the encryption interface like so?
nat on $enc_if from $internal_ip to $remote_internal_ip ->
$private_nat_address?
This is really confusing me.
-Stephen-
If you do nat on $enc_if your incoming packets will not match an existing
IPSEC flow and will never get routed to your enc0 interface in the first place.
man ipsec shows a flow diagram of how packets move in the kernel
-Matt-
