Bjoern A. Zeeb ha scritto:
If you are using tunnel mode and gif you'll have trouble; just use tunnel mode
without gif and you'll be happy.
Done, it works and I see all packets on enc0 now, thanks.
It's because (our) pf cannot NAT on incoming but only on outgoing interfaces.
And you need to NAT on packet entry into the system...
I found a setup that seems to work in my scenario with pf, but I'm not
sure it's 100% correct. Basically I added nat on enc0 and then added a
new policy including my internal lan.
Scenario:
- virtual ip (where nat takes place): 172.22.0.5
- internal lan: 192.168.2.0/24
- other lan: 172.28.0.0/16
In pf.conf I added:
nat on enc0 from 192.168.2.0/24 to any -> 172.22.0.5
In setkey.conf I added:
spdadd 192.168.2.0/24 172.28.0.0/16 any -P out ipsec
esp/tunnel/MYEXTIP-OTHEREXTIP/require;
in addition to the "standard":
pdadd 172.28.0.0/16 172.22.0.5/32 any -P in ipsec
esp/tunnel/OTHEREXTIP-MYEXTIP/require;
spdadd 172.22.0.5/32 172.28.0.0/16 any -P out ipsec
esp/tunnel/MYEXTIP-OTHEREXTIP/require;
I'm searching for trouble or is it correct?
--
Alex Dupre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
