[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setting up vpn tunnel with nat - twisted



Thanks.  On the flip-side, shouldn't I be able to setup one-direction
fairly easily?  In this case, connections can be initiated from LAN1
-> LAN2 but not from LAN2 -> LAN1.
In this model - after IPSEC endpoints are created, I would simply nat
traffic on the private interface from LAN1 to 192.168.1.50(openbsd
gateway) with a destination of 192.168.88.0/24 - which then crosses
the tunnel and gets NAT'd from 192.168.88.0/24 to
192.168.1.0/24(LAN2).
Thoughts? :)
-Brian
On Thu, 06 Jan 2005 11:11:12 +0100, Cedric Berger <[email protected]> wrote:
> brianBOFH wrote:
> 
> >Hi,
> >
> >I have two 192.168.1.0/24 networks physically separated.  I need to
> >get connectivity from one to the other and vice versa _without_
> >renumbering hosts.
> >
> >That being said - I have an openbsd 3.6 machine with one public and
> >one private interface on each end.
> >
> >I know I can setup the tunnel between the two.  But because I can't
> >bridge and route between the same network, my question is setting up
> >NAT between them.  Obviously the SRC and DST needs to be rewritten on
> >either side which means your typical NAT setup will not work.  Can
> >this be achieved with pf?  If anyone can point me in the right
> >direction I would appreciate it.
> >
> >
> This is possible, but very tricky. You can create a transport-mode IPSec
> flow between the
> public IP of your 2 gateways, and then do "nat on enc0" and maybe "rdr
> on enc0".
> There is a chicken and eggs problem between the routing table lookup and
> IPSec lookup.
> Read (man ipsec) about "NAT and *enc#* interfaces".
> You will have to setup a dummy flow from 192.168.1.0/24 to convince the
> kernel
> to ipsec-process your packet.
> Plan a good week of trial-and-error to make that work.
> Cedric
> 
>