Matthew Closson wrote: > I don't think what you want to do is currently possible: > > Here is your problem: > > Let's say you have these settings > > internal_host 10.0.0.5 > internal_openbsd_nic 10.0.0.1 > external_openbsd_nic AAA.AAA.AAA.AAA > > Remote_concentrator BBB.BBB.BBB.BBB > Remote_internal_host 192.168.0.10 > > and they say they need you to look like you are coming from 192.168.0.5 > (it happens frequently because of the other side's policy or poor > planning). > > So you think no problem, you configure isakmpd and bring up an SA between > > 192.168.0.5 <--- IPSEC_SA ---> 192.168.0.10
What I've actually got right now is AAA.AAA.AAA.AAA <--- IPSEC_SA ---> 192.168.0.10 > You setup an IP alias on one of your NIC's and assign it that address, > then you think you can do NAT on your enc0. But you can't. Because > here is what happens: > > 1. packet comes in from 10.0.0.5 -> 10.0.0.1 destined for 192.168.0.10 > 2. your box looks at it to see if it matches an existing flow in the > Security Association Database (SADB). It does NOT. You have a flow > between 192.168.0.5 and 192.168.0.10, NOT between 10.0.0.5 and > 192.168.0.10. So at this point there is no further route to get to that > destination and the packet is dropped. It never reaches your enc0 > interface to actually get NAT'd because it FIRST has to match a flow. According to this, then, Roy's configuration shouldn't actually work. He's sending traffic from an internal interface that doesn't match the SA flow, and then he binat's it. Roy -- can you show us the SA output of your 'netstat -rn', altered to protect the innocent? I think it would be useful to see that. Thanks, -Stephen-