yes, that should be possible. if it does not work, then it's a bug.
On Mon, Sep 24, 2007 at 03:08:29PM +0200, Markus Wernig wrote:
> Hi all
>
> Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat
> rules (OBSD 4.1)?
>
> The idea is:
> ipsec.conf:
> ike esp from A to B tag "mytag"
>
> pf.conf:
> nat on $int_if tagged "mytag" -> ($int_if:1)
> nat on $int_if from !($int_if) -> ($int_if:0)
>
>
> If I use the "tagged" keyword, the second nat rule is used even for
> packets coming out of the ipsec tunnel. Replacing the "tagged" keyword
> with the actual IPs works:
> nat on $int_if from A to B -> ($int_if:1)
>
> Shouldn't this be possible with tags?
>
> thx for any pointer
>
> /markus
