Hello,
I was recently asked to setup a VPN tunnel, where I was told to use a
Local-ID other than my internal net, as that was already in use at the peer.
I saw some discussions on the list regarding this, where a solution was
given along the lines of "set up isakmpd with the requested net, then
use ipsecadm to add your internal net as well, then nat on enc0".
That did not work, as that new SA added with ipsecadm is negotiated with
the peer as well, who rejects it (of course).
As solving this was non-obvious to me, I'll just share my solution for
anyone else having the same problem.
My solution was to add a loopback interface with an ip on the net I was
requested to use for the SA, then route the remote network to that loX
interface and last add a nat for traffic to that net on loX.
The setup:
My internal net (A.A.A/24)
|
|
My gw
|
|
{ inet }
|
|
Remote gw
|
|
Their internal net I wish to access (B.B.B/24)
I am told by the remote guys to set up the VPN with an IPsec-connection
configured with a Local-ID that is the network C.C.C/24 to their
B.B.B/24 network.
Set up isakmpd as requested, the IPsec-connection part like this
[VPN-conn]
Local-ID= internal-net
Remote-ID= remote-net
...
[internal-net]
ID-type= IPV4_ADDR_SUBNET
Network= C.C.C.0
Netmask= 255.255.255.0
[remote-net]
ID-type= IPV4_ADDR_SUBNET
Network= B.B.B.0
Netmask= 255.255.255.0
Add a loopback interface, with an IP on the net I was asked to use
$ ifconfig lo1 create
$ ifconfig lo1 inet C.C.C.1 netmask 255.255.255.0 link1
Route traffic to their remote net on that interface
$ route add -net B.B.B -interface C.C.C.1
In pf.conf add a nat:
nat on lo1 proto {tcp, udp, icmp} from !C.C.C.1 to B.B.B/24 -> C.C.C.1
Start isakmpd, and now it works!
