[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NAT *before* routing decision
Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you
folks can tell me whether I'm crazy :-)
I've got IPSEC ala:
10.1.1.1/32 10.1.1.1 -------- 10.2.2.2 10.2.2.2/32
(ie the encryption domain and the vpn endpoints are the same).
Now I'd like the OpenBSD machine at 10.1.1.1 to be able to be able to give
users on it's local LAN access to 10.2.2.2 through the IPSEC tunnel,
NAT'ing the source address to 10.1.1.1
The problem is that because nat is performed after the routing decision
is made packets are sent out of sk0 rather than enc0. The IPSEC
implementation is presumably deciding that a packet from Local-LAN to
10.2.2.2 doesn't match the IPSEC SA and is therefore routing the packet
normally, not via the tunnel. Only once the nat rule has been applied (on
a non-encrypted interface) does the packet match the IPSEC SA.
Is what I'm trying to do possible? If the VPN endpoint and encryption
domain weren't the same at 10.2.2.2 then perhaps it might be possible to
force a route to enc0, however since 10.2.2.2 is the VPN endpoint and
we've got to be able to route ESP packets...
Is there any way to force pf to do source-address-NAT as a packet enters
the system rather than as it leaves?
Obvious alternative solution is to make the encryption domain at 10.1.1.1
something different, and then done the NAT on another system before we hit
the OpenBSD machine; but that's not really ideal.
Chris Wilson <[email protected]>