[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT *before* routing decision

Hi all,
Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you
folks can tell me whether I'm crazy :-)
I've got IPSEC ala: --------
(ie the encryption domain and the vpn endpoints are the same).
Now I'd like the OpenBSD machine at to be able to be able to give
users on it's local LAN access to through the IPSEC tunnel,
NAT'ing the source address to
The problem is that because nat is performed after the routing decision
is made packets are sent out of sk0 rather than enc0. The IPSEC
implementation is presumably deciding that a packet from Local-LAN to doesn't match the IPSEC SA and is therefore routing the packet
normally, not via the tunnel. Only once the nat rule has been applied (on
a non-encrypted interface) does the packet match the IPSEC SA.
Is what I'm trying to do possible? If the VPN endpoint and encryption
domain weren't the same at then perhaps it might be possible to
force a route to enc0, however since is the VPN endpoint and
we've got to be able to route ESP packets...
Is there any way to force pf to do source-address-NAT as a packet enters
the system rather than as it leaves? 
Obvious alternative solution is to make the encryption domain at
something different, and then done the NAT on another system before we hit
the OpenBSD machine; but that's not really ideal.
Chris Wilson <[email protected]>