Hi, Is it possible to have VPN tunnels which reach the same private networks ?
Basicly I want to reach all the networks without having to renumber everything: ike esp from 10.200.0.0/16 to 192.168.1.0/16 peer 1.2.3.4 tag IPSEC-ONE ike esp from 10.200.0.0/16 to 192.168.1.0/16 peer 5.6.7.8 tag IPSEC-TWO rdr on bge0 from any to 10.0.1.0/24 tag NET-ONE -> 192.168.1.0/24 bitmask rdr on bge0 from any to 10.0.2.0/24 tag NET-TWO -> 192.168.1.0/24 bitmask nat on IPSEC-ONE from any to any nat on IPSEC-TWO from any to any pass in on bge0 route-to IPSEC-ONE tagged NET-ONE pass in on bge0 route-to IPSEC-TWO tagged NET-TWO I do this with vpnc & tunnel devices now. I was hoping there is some "hidden" tunnel device with the ipsec ? I guess its hard to do the nat rules, because the devices might not exists when pf.conf is loaded...... thinking on this I dont think I can do anything but use gif tunnels ? We want to reach about 300 networks. In my current test config I have 30 scripts running. First line in the script is a tcpdump which waits for a packet for the destination network, then vpnc is started! Its a very exotic vpn gateway :] It does work!! and using labels I can even check if traffic is flowing through the tunnel and disable vpnc after a couple of minutes idle time. I am hoping people on this list have better ideas on how todo this!!! Thanks, Frans
