* Stuart Henderson <stu@spacehopper.org> le [06-12-2018 13:44:50 +0000]:
> On 2018-12-06, Thuban <thuban@yeuxdelibad.net> wrote:
> > * Thuban <thuban@yeuxdelibad.net> le [02-12-2018 19:16:09 +0100]:
> >> Hi,
> >> I need help to write a correct rule in pf.conf.
> >>
> >> I want :
> >>
> >> A -----> B ------> web
> >>
> >> The appearing IP of A is the B's one on the web.
> >>
> >> I managed to configure iked on A and B using default pubkeys according
> >> to Stuart Henderson advices.
> >>
> >> iked.conf on A :
> >>
> >> ikev2 active ipcomp esp \
> >> from 192.168.100.0/16 to 0.0.0.0/0 \
> >> peer "xx.xx.xx.xx" \
> >> srcid "me@moria.lan" \
> >> dstid "B-hostname.tld" \
> >> tag IKED
> >>
> >> iked.conf on B :
> >>
> >> ikev2 "warrior" passive esp \
> >> from 0.0.0.0/0 to 0.0.0.0/0 \
> >> local xx.xx.xx.xx peer any \
> >> srcid "B-hostname.tld" \
> >> tag IKED
> >>
> >> Auth works as expected :
> >>
> >> # iked -vvd
> >> ..
> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
> >> ..
> >>
> >>
> >> But I can't reach internet from A through B.
> >>
> >> Here is the pf.conf on B (at least a small part of it)
> >>
> >> pass out on egress \
> >> from any to any tagged IKED \
> >> nat-to (egress)
> >>
> >>
> >
> > I'm still stuck at the same point.
> > Can someone give me an example of a working configuration natting ot
> > Internet?
>
> I used this,
>
> pass in on enc0 inet from $some_net
> pass out quick on egress inet received-on enc0 nat-to $some_address
>
> Also I don't remember what you've already said you checked, but
> make sure you have sysctl net.inet.ip.forwarding=1.
>
Thank you.
Yes, I do have ip.forwarding=1.
I'm confused how to replace "$some_address". Isn't it "(egress)" ?
Regards.
No comments:
Post a Comment