Hello,
I have a problem with IPSec+NAT. Basically, I have succesfully
established a connection between two machines (192.168.1.4 and
192.168.1.1) in transport mode. That means, I can ping each other and
using tcpdump I see, that they go encapsulated in ESP. Now, I have
another interface and I need to NAT all connections from it to
192.168.1.4. This too works, I can ping any machine on the network,
but not 192.168.1.1. When I tcpdump it on 1.1, I see, that the packets
come unencrypted. How do I tell IPSec to also encrypt forwarded
packets according to the policy? The policy is managed using isakmpd
and I use x509 certificates.
Is there a way to say, that applying ipsec rules should be done
after doing NAT? I can not use transport mode in this case (it's a
road warrior setup and only few openbsd road warriors will be using
this natted setup, most of the clients use different operating systems
and transport mode).
Would routing the packets to enc interface help?
Thank you for any help,
Juraj.
