[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT *before* routing decision



On 27/10/04 6:58 pm, "Chris Wilson" <[email protected]> wrote:
> 
> Hi all,
> 
> Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you
> folks can tell me whether I'm crazy :-)
> 
> I've got IPSEC ala:
> 
> 10.1.1.1/32 10.1.1.1 -------- 10.2.2.2 10.2.2.2/32
> 
> (ie the encryption domain and the vpn endpoints are the same).
> 
> Now I'd like the OpenBSD machine at 10.1.1.1 to be able to be able to give
> users on it's local LAN access to 10.2.2.2 through the IPSEC tunnel,
> NAT'ing the source address to 10.1.1.1
Why do you need to NAT the source packet? If you alter 10.1.1.1 to shove any
packet FROM its network TO 10.2.2.2 over IPSec, then as long as the 10.2.2.2
machine knows that any packet from the network behind 10.1.1.1 is to be
routed over the IPSec tunnel, the packets should flow freely. Unless the
network behind 10.1.1.1 has the same IP addresses as the one behind
10.2.2.2, in which case do some kind of binat?
Or perhaps I missed the point. I usually do :)
Oliver.
-- 
Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444
E-mails received are assumed to be for my attention, to do with as I wish.
No responsibility is accepted if communications are sent to me in error.
This disclaimer has as much legal status as yours.