Hi all, I have a problem with nat on an ipsec-tunnel.
My setup is a follows: obsd 4.3 which have two IPSEC tunnels, one of the tunnels have an gif-interface on top of it to simplify routing the other one don't. External: em0, addr. 1.1.1.1 2.2.2.0/24 vlan106-\__fxp0-- internal 3.3.3.0/24 vlan107-/ tunnel1 2.2.2.0/24 - 4.4.4.0/24 is working great and routing via gif0. tunnel2 3.3.3.0/24 - customer site 6.6.6.0/24, endpoint external addr 9.9.9.1, gif tunnel not possible. ipsec for tunnel2: ike dynamic esp from 3.3.3.0/24 to 6.6.6.0/24 local 1.1.1.1 peer 9.9.9.1.......... The tunnels gets initiated ok but I can't get anything routed to the customer network 6.6.6.0/24, the other side of the tunnel only accept traffic coming from 3.3.3.0/24. If I do "ping -I 3.3.3.1 6.6.6.4" traffic passes the tunnel to the customer net and I get a reply, so I probably need some kind of NAT rule for other hosts on my networks to be able to use the tunnel. I have tried to do NAT on vlan107 but it's not working. nat pass log on vlan107 from 4.4.4.0/24 to 6.6.6.0/24 -> 3.3.3.1 My problem is that I want to have traffic that comes from tunnel1 ( 4.4.4.0/24) (via gif0) to be able to go out via tunnel2 with 3.3.3.1 as src addr, is this possible? If i do ping against 6.6.6.4 from a host on the 4.4.4.0/24-network i see traffic coming on gif0 but it stops there, where should i put the nat-rule? Regards Johan
