I have the following configuration:
LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD I can ping a host from LAN_A to a host on LAN_B I hope this can Help ! -------- Original-Nachricht -------- > Datum: Wed, 13 Aug 2008 16:41:20 -0400 > Von: Toby Burress <[EMAIL PROTECTED]> > An: misc@openbsd.org > Betreff: Using PF to NAT internal addresses over an IPSec link > I have an IPSec connection set up to an external site, over which > I have no control and whose topololgy I know nothign about (i.e. I > don't know what subnets they use, etc.) Using ipsecctl, I have one > flow set up, from my external IP A.B.C.D to an internal IP on their > side, 172.25.0.1. > > I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. > > What I want to do is allow any machine from my internal networks > to reach 172.25.0.1. > > What I would like to do is set up NAT, so that packets headed to > the OpenBSD box from anywhere on my network get translated to > A.B.C.D, which is then sent over the VPN connection. Unfortunately > it looks like PF only applies NAT transforms when packets leave > interfaces, not when they enter them, so packets come into the > OpenBSD box with their private IPs, get routed out the interface > associated with the default route, and only then get rewritten. > > Is there a better way to do this? I would like to be able to change > which hosts on my side can go over the IPSec connection without > having to coordinate with the other company, and without having to > expose internal IP information. > > If you reply to the list please cc me as I am not subscribed. -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine f|r Alle: http://www.gmx.net/de/go/messenger03