On Fri, Nov 10, 2006 at 02:06:42PM -0600, Albert Chin wrote: > > Expanding on the config some more: > (fxp0)|(internal network - 192.168.0.0/24) > --------o-------- > | VPN CLIENT | > --------o-------- > |(fxp1 - 1.2.3.4) > | > --------o-------- > | INTERNET | > --------o-------- > | > |(fxp1 - 1.2.3.5) > ------------o------------ > 192.168.10.1|(fxp0) |(dmz) > +--------o FIREWALL 1 o----- > | | |(fxp2) > | ------------------------- > | > | > | ------------------------- > | | | > +--------o FIREWALL 2 | > 192.168.10.2|(fxp0) | > ----------------o-------- > (fxp1)|(internal network - 192.168.1.0/24) > > [ipsec.conf config removed] > > Then, from the VPN CLIENT, how would an ssh connection to 192.168.1.1, > server A on the internal network behind FW2, work? IPsec would encrypt > the packet between 1.2.3.4 and 1.2.3.5, where it would be unencrypted, > but on the external, fxp1 interface. How do I get 192.168.0.0/24 > traffic to the fxp0 interface, from fxp1, when fxp1 is on a private > network between FW1 and FW2?
According to ipsec(4): This implementation makes use of a virtual interface, enc0, which can be used in packet filters to specify those packets that have been or will be processed by IPsec. So, it would seem that I should NAT the traffic from enc0 on FW1 through fxp0. But, the following never seems to be invoked on FW1: nat pass log on enc0 proto tcp from any to any -> fxp0 Any ideas? -- albert chin ([EMAIL PROTECTED])
