Penned by Andy on 20130704 9:25.40, we have: | On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote: | >>I'd rather not have to create extra tunnels or define VPN policies with subnets which have prefixes wider than the internal LANs. | >>That leaves mangling, but I cannot see how I would do the mangling in PF to make it work without doing a redirect through the loopback etc.. Just wondering if anyone knows of a cleaner way? | > | >I think widening the flow's source is cleanest (as I mentioned in my first reply). However, I think it's possible to use a gif tunnel for the tunnel encapsulation, and only use IPsec for the endpoint encryption. It would probably work, because unlike IPsec flows, it's not "source routed". | | Ah ha!!! Of course!! Thank you :D | | Andy.
The other option is to add a local route that seems pointless but actually aids in the scenario. Consider a router with an internal network IP of 192.168.0.1/24. Consider a an IPSec tunnel from 192.168.0.0/24 <-> 192.168.1.0/24. Consider adding a route 'route add 192.168.1.0/24 192.168.0.1'. Suddenly the source IP of any daemon on the OpenBSD system becomes 192.168.0.1 when attempting to connect to any system on the 192.168.1.0/24 segment. This trick only works for IPv4. For IPv6, there is no solution beyond having each software choose its source address carefully. FWIW. -- Todd Fries .. t...@fries.net ____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
