Hello Danial, Sunday, December 14, 2008, 6:06:12 PM, you wrote:
D> The remote tunnel endpoint expects traffic originating from D> a specific ip address - the internal ip of the firewall. >> I have a tunnel successfully set up between my OpenBSD 3.8 >> and a Cisco 7200 router. >> ... >> There are ACLs on the $remote_gw which only allow traffic >> NATed with my $int_if ip. Hence this nat in pf.conf: >> nat on enc0 inet from $int_net to $remote_host -> $int_if >> ... >> What I CAN do is ping the $remote_host through the tunnel >> from the $int_if with the following command: >> # ping -I $int_if $remote_host >> >> This works and replies are received! >> >> >> But if if try pinging from the $internal_host: >> c:\> ping $remote_host >> >> This doesn't work. The packets are not sent through the >> tunnel but to the internet. I have a working tunnel like yours. May be there is a way to do it "right", but I haven't found one. But here is a workaround: Your tunnel is probably host-to-host - don't change it, but add an additional network-to-host one. That "dummy" tunnel wont actually transfer anything, but will route packets from your internal network to enc0, than your nat rule will change it and everything should work. -- Best regards, Boris mailto:bo...@twopoint.com