On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote: > Of course, as it is a testing environment it is a lot easier to make > it work for me... > On the remote side, a configured something like this (I suppose they > have something of this kind on the other side) : > ike passive esp from 172.25.0.1 to A.B.C.D > > And on the local server side, all I have is : > ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying 'from any to IP', since the remote end refuses to set up the SAs in that case. I will try to get the other end to allow something like that, since it seems like a MUCH better solution than the rube goldberg stuff I'm playing with now, but half the reason I'm stuck is the other guy doesn't return emails... > > Never tried to use the "flow" directives as you did. I suppose that if > as you said you have correct encap routes, packets headed to > 172.25.0.1 should definitely go through enc0, then if you set nat on > enc0, it should work as it does for me. > Could you paste and show us the output of netstat -rnf encap and also > if possible your pf.conf ? Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in A.B.C.D/32 0 172.25.0.1/32 0 0 W.X.Y.Z/esp/require/out 172.25.0.1/32 0 default 0 0 W.X.Y.Z/esp/use/in default 0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out The pf.conf is pretty complicated, but the relevant rules that get hit are: ext_if="bge1" int_if="bge0" vpn_if="enc0" set ruleset-optimization none set state-policy if-bound set skip on { lo } scrub all fragment reassemble reassemble tcp nat on $vpn_if from 192.168.0.0/16 to any -> A.B.C.D nat on $ext_if from 192.168.0.0/16 to any -> E.F.G.H block drop pass quick on $vpn_if pass quick on $int_if And then there are others that eventually let us out of $ext_if as well.