Re: Using PF to NAT internal addresses over an IPSec link

Thu, 14 Aug 2008 18:21:23 -0700 

Hey List ! ...
Interesting... I was about to send an e-mail on the list regarding this same question : aka: Best practice on NAT over IPsec... or how to do it correctly ?!?!?!? 


May I can suggest you to try something... : ( that what I will try 
anyway somewhere next week or so... )



Create a Loopback interface on one of your BSD and try to NAT on this 
'lo' interface ... from that nat, adjust your pf to block all from lan A 
to lab B except from NAT  ...and well, I think it should work !



any other suggestion to try or any ''already working here' ' notes that 
someone can post ?


Regards,
M-A

Jorge Valbuena wrote:

I have the following configuration:


LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A



http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD


I can ping a host from LAN_A to a host on LAN_B

I hope this can Help !





-------- Original-Nachricht --------

  

Datum: Wed, 13 Aug 2008 16:41:20 -0400
Von: Toby Burress <[EMAIL PROTECTED]>
An: misc@openbsd.org
Betreff: Using PF to NAT internal addresses over an IPSec link

    



  

I have an IPSec connection set up to an external site, over which
I have no control and whose topololgy I know nothign about (i.e. I
don't know what subnets they use, etc.)  Using ipsecctl, I have one
flow set up, from my external IP A.B.C.D to an internal IP on their
side, 172.25.0.1.

I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine.

What I want to do is allow any machine from my internal networks
to reach 172.25.0.1.

What I would like to do is set up NAT, so that packets headed to
the OpenBSD box from anywhere on my network get translated to
A.B.C.D, which is then sent over the VPN connection.  Unfortunately
it looks like PF only applies NAT transforms when packets leave
interfaces, not when they enter them, so packets come into the
OpenBSD box with their private IPs, get routed out the interface
associated with the default route, and only then get rewritten.

Is there a better way to do this?  I would like to be able to change
which hosts on my side can go over the IPSec connection without
having to coordinate with the other company, and without having to
expose internal IP information.

If you reply to the list please cc me as I am not subscribed.
























					Reply via email to