Re: Routing issue with VPN tunnel [SOLVED]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Routing issue with VPN tunnel [SOLVED]

Hi all,

The lo1 workaround worked.

There are some posts out there that explain this, or parts of it, and
here's my contribution.
The two threads I found most helpful can be googled:
"NAT on IPSEC with OpenBSD/pf/isakmpd"
"OT - NAT on IPsec"

The issues in question are mentioned earlier in this thread and I
won't repeat them.

1 - Create a loopback interface on which NATting will be done:
# cat /etc/hostname.lo1
inet NONE description "IPsec NAT interface"

This should be an ip of a different subnet than your internal network.

2 - Add a static route to the remote network you are trying to reach:
route add

3 - Configure lo1 for nat (pf.conf):
nat on lo1 from $internal_net to -> lo1

4 - Create pf.conf rules:
pass on lo1 inet from lo1 to keep state
# In
pass in on enc0 keep state (if-bound)
# Out
pass out on enc0 inet from lo1 to

pass on enc0 proto ipencap all keep state (if-bound)
pass on $ext_if inet proto esp all keep state
NB. Outgoing enc0 traffic rule must not contain "keep state"

5 - The ipsec tunnel/flows must of course be added with as IPV4_ADDR.
ID-Type=                IPV4_ADDR

Best regards,


/ Danial