Hello,
I am trying to setup an IPsec connection.
Here is the ipsec.conf :
ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 group modp1024 psk "xxxxxxxx"Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 -> 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 > 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 > 193.164.151.1: icmp: echo request -> Packets are going out through em0 (my inet interface) instead of enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with "good" adresses- don't go through the tunnel ? Have I misconfigured something ? Thank you for your help -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrénées Informatique Hospitalière 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Tél : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED]
BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
