On 2/26/07, Samuel Moqux  wrote:

quoted text
> I'm having some issues with an ipsec connection with vpnc (isakmp is

> not an option, since does not support xauth, and I don't control the

> other end) from an OpenBSD firewall/router to a Cisco device.

>

> I think problems could be natt related so I would like to eliminate

> nat from the equation, but the problem is that the "outside" interface

> is a private address. This firewall routes between a DMZ (public /29),

> a LAN segment (private /24), and the outside (private /30).

>

>

> ------ LAN ------- OpenBSD ------ 10.90.0.0/30 --- Outside Router ------

INET

quoted text
>                           |

>                           |

>                       DMZ (public /29)

>

> Right now, I need to NAT on the Outside Router, since internet routed

> packets from the OpenBSD box go out with a private address.

>

> What I would like to achieve is that packets destined to internet get

> sourced with DMZ's interface, which is internet routable, and without

> pf tricks(I don't want NAT, remember).

If you could get vpnc to bind to a specific interface it seems like

that would be possible. Can you see if that's an option?
The way I see it, NAT may not be an issue; any worthwhile modern IPsec

implementation supports NAT traversal, which vpnc appears to (I see a

reference to '--natt-mode' on their page.) If you can support NAT-T on

the client and server, it may be a non-issue for you.
Haven't used vpnc myself, but just looking at the package install

message there's a couple of considerations:
--- vpnc-0.3.3p1 -------------------

In order for vpnc to actually get any received IPsec packet, you have

to disable ESP in your kernel like this:
    sysctl net.inet.esp.enable=0
If you are behind a NAT gateway, you have to disable UDP encapsulation

as well:
    sysctl net.inet.esp.udpencap=0
DS