[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec : client -> pf/nat -> server

I have to make a vpn between our lan and another peer. The picture is :
<------------ Our LAN ------------->           <--- Other peer ----->
cisco VPN client ------> OpenBSD 3.2-->inet--->Cisco router--->Server
3.6.3 (B)                PF + NAT               VPN GW
The all should be donne in ESP tunnel mode.
Someone pointed out http://www.cryptonomicon.org/notes/vpn_nat.html in this 
list, which talks about IPSEC+NAT, but it seems down now.
My questions are :
1. Is there any options in PF (3.2 or 3.3) that makes nat possible (binat?)
2. AFAIK, PF can examine only the IP header, not ESP payload in this cas. So 
it will be easy to spoof, and any bad boy can send any facked esp packets to 
our LAN. Right ?
3. The goal is, for the peer, that only identified client (they dont trust my 
OpenBSD gateway:-< ) can connect to the server, and for me, only trafic 
related between this client and the server can passe. Any alternatif ?