Stephen Bosch wrote:
Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_private_IP
HostA_private_NAT_IP
<RemoteB_private_subnets>
In the NAT section of my pf.conf, I have the following command:
binat on $enc_if from $HostA_private_IP to <RemoteB_private_subnets> ->
$HostA_private_NAT_IP
In the FILTER section, I have:
pass in on $enc_if from <RemoteB_private_subnets> to \ HostA_private_NAT_IP
pass out on $enc_if from $HostA_private_NAT_IP to \
<RemoteB_private_subnets>
Do I need to add routes to make this work? I thought that setting up SAs
in isakmpd did this automatically, but when I traceroute from
HostA_private_IP, it looks like the traffic is going out the public
interface.
Maybe I do need that alias that Roy was suggesting. Apart from that
binat line in pf.conf, that network is not configured on any interface
on the device. I wouldn't even be able to build a route, because I have
no interface to send it to.
Where should I configure the alias?
-s
