I've managed to solve a problem that was bodering me for some time now. I decided to put this solution to the list just in case someday somebody will be in similar situation.
How to solve the problem described on this picture: 193.x.x.x/27 193.y.y.y/27 | 192.168.1.0/24 | 192.168.2.0/24 | | | | | | | | Host A ------------ tunnel ------------ Host D -----Internet 172.16.16.6 172.16.15.6 \ / +------ Host B ------ Host C ------+ 172.16.16.5 172.16.15.5 In short, I have two distant locations, connected with fiber, only one has access to internet. The client requested to have on both locations public addressable IP space and private addressable IP space. Host A and Host D are connected by a fiber provider, who connected both locations with a PTP (Host B & Host C are providers routers). The solution I came to (with the help of Dag Richards) is to build a gre tunnel from host A to Host D. Firstly I managed to access internet using ipsec. Dag pointed out that I should be doing NAT before ipsec. Explanation: packet enters routing decision is made <- packet encrypted if matches quickmode route egress iface chosen NAT applied So on the same router that can't be done in OBSD. So I left out encryption for this part of the project, because I don't need encryption for traffic going to internet. The task now is to build a gre tunnel between Host A & Host D. Building up gre tunnel and setting up routes: Enable on both routers: sysctl net.inet.gre.allow=1 Host A # cat /etc/hostname.gre0 193.x.x.x 193.z.z.z netmask 0xffffffff link1 up tunnel 172.16.16.6 172.16.15.6 !route -qn delete default !route -qn add -host default 193.z.z.z Host D # cat /etc/hostname.gre0 193.z.z.z 193.x.x.x netmask 0xffffffff link1 up tunnel 172.16.15.6 172.16.16.6 !route add 192.168.1.0/24 193.x.x.x !route add 193.x.x.x/27 193.x.x.x I had to add those routes just to tell the router where to send packets that have been natted and to route other public addressable IP space through the tunnel. Now I have a working tunnel, Host A can access the internet. Let's allow others to access internet from private addressable IP space on Host A. As Dag pointed out I should be doing NAT for request coming from 192.168.1.0/24 on the end of gre tunnel, on Host D. This should look something like this: nat on bge0 from 192.168.1.0/24 -> 193.x.x.x, where bge0 stands for my external_if on Host D. Be careful to allow gre proto in both pf.conf. After that I just had to connect two LANs together with ipsec: On host D: ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 172.16.16.6 On Host A: ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 172.16.15.6 Mitja