[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT *before* routing decision



Concurring with Sir Oliver, I'd like add the following comments/hints:
 - I'm assuming that 10.1.1.1 and 10.2.2.2 are internal interfaces of
the OpenBSD firewalls, and that their external interface addresses are
not shown
 - Also assuming you'd like all machines on 10.1.1.* to access all
machines on 10.2.2.* (subject to firewall filtering on interface "enc0")
 - You might need to put "ifconfig enc0 up" in rc.local (to survive
reboots)
 - No NAT is needed, just a routing statement (again, in rc.local) of
the form:
    + (on 10.1.1.1) no nat on $ext_if from 10.1.1.0/24 to 10.2.2.0/24
    + (on 10.1.1.1) route add -net 10.2.2.0/24 EXT_IF_ADDR_OF_10.2_BOX
    + (reverse/commensurate on 10.2.2.2) 
And traffic between the two private nets will flow through the VPN
tunnel.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of Oliver Humpage
Sent: Wednesday, October 27, 2004 5:08 PM
To: [email protected]
Subject: Re: NAT *before* routing decision
On 27/10/04 6:58 pm, "Chris Wilson" <[email protected]> wrote:
> 
> Hi all,
> 
> Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping
you
> folks can tell me whether I'm crazy :-)
> 
> I've got IPSEC ala:
> 
> 10.1.1.1/32 10.1.1.1 -------- 10.2.2.2 10.2.2.2/32
> 
> (ie the encryption domain and the vpn endpoints are the same).
> 
> Now I'd like the OpenBSD machine at 10.1.1.1 to be able to be able to
give
> users on it's local LAN access to 10.2.2.2 through the IPSEC tunnel,
> NAT'ing the source address to 10.1.1.1
Why do you need to NAT the source packet? If you alter 10.1.1.1 to shove
any
packet FROM its network TO 10.2.2.2 over IPSec, then as long as the
10.2.2.2
machine knows that any packet from the network behind 10.1.1.1 is to be
routed over the IPSec tunnel, the packets should flow freely. Unless the
network behind 10.1.1.1 has the same IP addresses as the one behind
10.2.2.2, in which case do some kind of binat?
Or perhaps I missed the point. I usually do :)
Oliver.
-- 
Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444
E-mails received are assumed to be for my attention, to do with as I
wish.
No responsibility is accepted if communications are sent to me in error.
This disclaimer has as much legal status as yours.