Hello,
I wish to form an IPsec-based VPN between two networks that have the same
subnet's within each. I don't control the other network. Here is a
diagram:
192.168.1/24
&
192.168.2/24 192.168.1/24 only
<---My net---><------Internet------><-------Their net------>
Host1 FW/NAT1 FW/NAT2 Host2 Host3&4
OBSD3.2 OBSD3.4
^-------------VPN-------------------^
FW/NAT1 is OBSD 3.2 with other IPsec VPN's.
Host1 is on my 192.168.2.0 net (2.31).
FW/NAT2 is not mine, not OBSD.
Host2 is mine and running OBSD 3.4 inside their net (one NIC - 1.201).
Host3 (1.12) & Host4 (1.13) are PC's that will need to connect back to my
Host1.
I know I can form an IPsec connection between Host2 and FW/NAT1 (going
through FW/NAT2) that Host1 and Host3&4 can talk across (I'm doing this on
another network that does not have duplicate subnet numbering).
The problem I can't think myself through is how to hide/translate the
192.168.1.0 nets from each other...
My initial thought was building the VPN tunnel between FW/NAT1 and Host2
with the VPN endpoints of 192.168.2.0 (my net) and 192.168.12.0 (new subnet
inside the VPN for their side).
Then on the Host2 side using binat to do the translation between their
192.168.1.0 net numbered PC's and my VPN's 192.168.12.0 numbers. Then my
net only knows about 12.0 and their net sees no difference. I see the binat
on Host2 actually working in pfclt, but nothing gets handed to the VPN after
the translation and it's not going out Host2's default route...
I'm also trying to keep Host2 just as a node on their network (one NIC
connection) and not having it be anymore (ie a router segementing off some
part of their net).
Is this something I can accomplish with pf's help at one end of the other?
(binat? route-to..?).
Thanks,
-Bill
