Hi, I tried to reproduce what you want in my testing environment and managed to make it work.
What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) - Add a nat rule on enc0 in your pf.conf. Something like : nat on enc0 from !($ext_if) -> ($ext_if:0) - Note that if you had set a "skip on enc0", you should remove it and use something like "pass quick on enc0" for the nat to be applied. It works for me, local addresses are nated inside the tunnel and cannot be seen by the remote servers. Feel free to ask if you need more details. Cheers, William 2008/8/15 Marc-Andre Jutras <[EMAIL PROTECTED]>: > Hey List ! ... > > Interesting... I was about to send an e-mail on the list regarding this same > question : aka: Best practice on NAT over IPsec... or how to do it correctly > ?!?!?!? > > May I can suggest you to try something... : ( that what I will try anyway > somewhere next week or so... ) > > Create a Loopback interface on one of your BSD and try to NAT on this 'lo' > interface ... from that nat, adjust your pf to block all from lan A to lab B > except from NAT ...and well, I think it should work ! > > any other suggestion to try or any ''already working here' ' notes that > someone can post ? > > Regards, > M-A > > Jorge Valbuena wrote: >> >> I have the following configuration: >> >> >> >> LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A >> >> >> >> http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD >> >> >> I can ping a host from LAN_A to a host on LAN_B >> >> I hope this can Help ! >> >> >> >> >> >> -------- Original-Nachricht -------- >> >>> >>> Datum: Wed, 13 Aug 2008 16:41:20 -0400 >>> Von: Toby Burress <[EMAIL PROTECTED]> >>> An: misc@openbsd.org >>> Betreff: Using PF to NAT internal addresses over an IPSec link >>> >> >> >>> >>> I have an IPSec connection set up to an external site, over which >>> I have no control and whose topololgy I know nothign about (i.e. I >>> don't know what subnets they use, etc.) Using ipsecctl, I have one >>> flow set up, from my external IP A.B.C.D to an internal IP on their >>> side, 172.25.0.1. >>> >>> I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. >>> >>> What I want to do is allow any machine from my internal networks >>> to reach 172.25.0.1. >>> >>> What I would like to do is set up NAT, so that packets headed to >>> the OpenBSD box from anywhere on my network get translated to >>> A.B.C.D, which is then sent over the VPN connection. Unfortunately >>> it looks like PF only applies NAT transforms when packets leave >>> interfaces, not when they enter them, so packets come into the >>> OpenBSD box with their private IPs, get routed out the interface >>> associated with the default route, and only then get rewritten. >>> >>> Is there a better way to do this? I would like to be able to change >>> which hosts on my side can go over the IPSec connection without >>> having to coordinate with the other company, and without having to >>> expose internal IP information. >>> >>> If you reply to the list please cc me as I am not subscribed.
