A while back I was wondering if there was a good way to deal with overlapping network addresses in OpenBSD when setting up site-to-site VPNs.
At the time the best solution I could find was just to use relayd (which iirc is now called something else), which works but isn't pretty. I've since found a much better solution, and I want to write it down here so that the next guy doesn't have to spend a day tearing his hair out. First: if you're using a recent version of OpenBSD, and the other side is as well, you may as well try http://www.undeadly.org/cgi?action=article&sid=20090127205841 I haven't, but it looks like a neat solution. In my case, the opposite end of the link is using a Juniper NetScreen, and my firewall is OpenBSD 4.3. I mostly followed the guide here: http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html, which works generally but is wrong in a few particulars. In my case, my company bought another company and we needed to merge networks. Unfortunately, the remote company used 192.168.10.0/24, which was the network on our end that we needed to share. What we did was, the remote end picked an unused network (192.168.14.0/24) and I picked another unused network (192.168.15.0/24). We then set up ipsec to set up the flows: ipsec.conf: ike active esp from 192.168.15.0/24 to 192.168.14.0/24 \ local a.a.a.a peer b.b.b.b \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk keykeykey (can I just say, by the way, how awesome ipsec.conf is? because it is) Now, as in the guide, we're going to route through lo1 and perform our natting on that interface. However, we do *not* want to assign any IP from the 192.168.15.0/24 network to lo1. This is because we want packets coming in from the enc0 interface to get routed back out of the OpenBSD box, which will not happen if OpenBSD thinks it's the destination for that packet. We do this by assigning lo1 an IP that is completely unrelated to anything else we're doing. Fortunately rfc1918 is generous. I took 192.168.99.1 because I didn't really expect this to work when I tried it. It would be trivial to move out of 192.168/16 altogether, I suppose, but it's even more trivial to leave it where it is: # ifconfig lo1 create # ifconfig lo1 inet 192.168.99.1/32 # route add 192.168.14.0/24 192.168.99.1 # route add 192.168.15.0/24 192.168.99.1 The first route sends packets headed for the IPSec link over lo1, where they will have their source address rewritten. The second rule forces packets over lo1 again, where the proper address is restored. Finally, add the binat rule in pf.conf, and do your firewalling. If you're having trouble, see whether you have `set skip on lo0` or just `lo`. You want the former. I pass all traffic to my NAT address and apply the firewall rules after the NAT when they are checked leaving the lo1 interface: pf.conf: binat on lo1 inet from 192.168.10.0/24 to 192.168.14.0/24 -> 192.168.15.0/24 pass on lo1 from any to 192.168.15.0/24 pass on lo1 proto tcp from any to 192.168.10.37 port 80 If everything's working, you should be able to follow packets from the internal interface (bge0, in my case) over lo1, into enc0, and out the external (bge1). Let me know if you find any errors. I'm not on the list, so please cc me.
