Re: PF: nat on ipsec

In reply to: André_S._Almeida : "Re: PF: nat on ipsec"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: infoomatic <infoomatic_at_gmx.at>
Date: Mon, 10 Oct 2022 17:13:50 UTC

On 10.10.22 17:59, André S. Almeida wrote:
> Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it
> needs to be active for NAT to work with IPSec
>
thank you, unfortunately this did not change anything.


>     IPsec traffic flow is complicated. Have a look at enc. It's been
>     instrumental in helping me fix this class of issue in several
>     instances.
>     YMMV.
>
>     https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4
>     <https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4>
>
>     Good luck! :)
>
thanks. Yeah I know, that's why I have always tried to stick to OpenVPN,
however, with AWS it's not (yet?) possible.

I just don't get it why on earth I need to tinker around on the host
when the tunnel is being created inside the opnsense VM, and sadly the
solution on Linux consists of just 2 simple iptables rules (basically
rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic).