Johan Borch <johan.borch <at> gmail.com> writes: > > Hi all, > > I have a problem with nat on an ipsec-tunnel. > > My setup is a follows: > > obsd 4.3 which have two IPSEC tunnels, one of the tunnels have an > gif-interface on top of it to simplify routing the other one don't. > > External: > em0, addr. 1.1.1.1 > > 2.2.2.0/24 vlan106-\__fxp0-- internal > 3.3.3.0/24 vlan107-/ > > tunnel1 2.2.2.0/24 - 4.4.4.0/24 is working great and routing via gif0. > tunnel2 3.3.3.0/24 - customer site 6.6.6.0/24, endpoint external addr > 9.9.9.1, gif tunnel not possible. > > ipsec for tunnel2: > ike dynamic esp from 3.3.3.0/24 to 6.6.6.0/24 local 1.1.1.1 peer > 9.9.9.1.......... > > The tunnels gets initiated ok but I can't get anything routed to the > customer network 6.6.6.0/24, the > other side of the tunnel only accept traffic coming from 3.3.3.0/24. If I do > "ping -I 3.3.3.1 6.6.6.4" > traffic passes the tunnel to the customer net and I get a reply, so I > probably need some kind of NAT rule for other hosts on my > networks to be able to use the tunnel. I have tried to do NAT on vlan107 but > it's not working. > > nat pass log on vlan107 from 4.4.4.0/24 to 6.6.6.0/24 -> 3.3.3.1 > > My problem is that I want to have traffic that comes from tunnel1 ( > 4.4.4.0/24) (via gif0) to be able to go out via tunnel2 with 3.3.3.1 as > src addr, is this possible? If i do ping against 6.6.6.4 from a host on the > 4.4.4.0/24-network i see traffic coming on gif0 but it stops there, where > should i put the nat-rule? > > Regards Johan > >
No takers for this? :( I've come a little further (I think so anyway). Right now I have created a loopback interface with the address 3.3.3.1 and added a static route saying "6.6.6.0/24 -> 3.3.3.1" and I can with that action ping stuff on the other side of the tunnel, but only from the ipsecserver it self not from other networks. So my problem is still where to put the NAT-rule. If I put the NAT-rule on lo1 and do a dump when pinging from the client-network i get the folling: 08:27:25.496087 a.b.c.d-client > 6.6.6.4: icmp: echo request 08:27:25.496194 3.3.3.1 > 3.3.3.1: icmp: redirect 6.6.6.4 to host 3.3.3.1 And i don't quite understand why this happens. If I do a ping from the ipsec-server to the other side of the tunnel I get a reply but I can't find (using tcpdump) the traffic on any interface. Is ipsec doing some magic with this traffic? Does'nt ipsec follow normal route entries? Desperate hope's for an reply, regards Johan
