It is not demand of PF... It's about IPSec behavior. IPSec tunnels could be established between exact 2 IPs, or exact 2 IP networks. You can't have IP net on one side of tunnel and rest of Internet on other side, which is case you wrote about. Solutions: 1. Build IP-IP IPSec and then build GRE tunnel on those 2 IP. You could route anything over GRE tunnel. Beware of encapsulation overhead, cause it is tunnel in tunnel. 2. Use OpenVPN instead of IPSec. It is far less painful.
I. On Thu, 2011-04-07 at 16:51 -0700, Andrew Klettke wrote: > We have a working IPSec VPN between two 4.8 endpoints. One of them is at > a remote location, and the other at the main office. The remote location > has its own external, routable IP (to establish the VPN), and an > internal subnet behind it. The main office has its own external IP, > though which it is NATing its own internal subnet. > > Basically, I want to force all internet traffic from the remote, > internal subnet through the main office's internal gateway so it can NAT > out from there. > > I've been attempting to accomplish this with "route-to" and "reply-to" > rules on the remote box, but have had no luck. I know IPSec keeps its > own routing table, is this interfering? Is this possible to do with PF?
