Stuart Henderson wrote:
On 2006/06/30 10:51, Stephen Bosch wrote:
Thanks. No joy yet. Traceroute traffic is still going out the public
interface when I try to ping a host on <RemoteB_private_subnets>...
If this traceroute is from the vpn gateway itself (rather than
an endpoint) you'll need to either set the source address to an
address in the vpn subnet (traceroute -s, ping -I), or add a
static route pointing over the vpn.
Thanks.
I should note also that this is a redundant configuration using carp.
You can see this is getting pretty ugly.
Assuming
int_IPA: the real private IP of a host on my network
nat_IPA: the IP I am translating int_IPA to before sending it to the
remote endpoint
<remote_IPB>: table of real private IP subnets on the remote network
enc_if: the encryption interface
1. I have added nat_IPA as an alias to the internal carp interface on my
gateway.
2. I have the following pertinent lines in my /etc/pf.conf:
binat on $enc_if from $int_IPA to <remote_IPB> -> $nat_IPA
and later
pass in on $enc_if from <remote_IPB> to $nat_IPA
pass out on $enc_if from $nat_IPA to <remote_IPB>
When I am on the gateway and I do:
ping -i $nat_IPA to $remote_host_IPB
I get replies. This is good.
When I ping from the endpoint to $remote_host_IPB, I get nothing.
So either there is something wrong with my filtering and natting, or I
am not routing properly.
Suggestions?
-S
