[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setting up vpn tunnel with nat - twisted

brianBOFH wrote:


I have two networks physically separated.  I need to
get connectivity from one to the other and vice versa _without_
renumbering hosts.

That being said - I have an openbsd 3.6 machine with one public and
one private interface on each end.

I know I can setup the tunnel between the two. But because I can't
bridge and route between the same network, my question is setting up
NAT between them. Obviously the SRC and DST needs to be rewritten on
either side which means your typical NAT setup will not work. Can
this be achieved with pf? If anyone can point me in the right
direction I would appreciate it.

This is possible, but very tricky. You can create a transport-mode IPSec flow between the
public IP of your 2 gateways, and then do "nat on enc0" and maybe "rdr on enc0".
There is a chicken and eggs problem between the routing table lookup and IPSec lookup.
Read (man ipsec) about "NAT and *enc#* interfaces".
You will have to setup a dummy flow from to convince the kernel
to ipsec-process your packet.
Plan a good week of trial-and-error to make that work.