# Vpn + nat



## zgabe (Aug 5, 2011)

Hi,

I have the following scenario:


```
Server1 ----- VPN Router -----(vpn)----- FreeBSD Box1 ------ Server2
                        |-----(vpn)----- FreeBSD Box2 ------ Server3
```
FreeBSD boxes run ipsec-tools and have three interfaces: em0-gif0 on the VPN side and em1 on the other. VPN router handles two VPN tunnel: one for FreeBSD Box1 and an other for FreeBSD Box2.
It could happen that Server2 and Server3 has the same IP address so I think on the FreeBSD Box1 the destination address has to be changed in the incoming packets destined to Server2  and the source address in the reply packets. As far as I know NAT might help.
I started to try it with PF.
man pf.conf says:
- nat: Translate outgoing packets' source addresses (any protocol).
- rdr: Translate incoming packets' destination addresses

According to this I have to use NAT on em0 or gif0 but it does not work as on em0 the traffic is encapsulated and the gif interface is inappropriate for NAT.

Any ideas?

BR
zgabe


----------



## icer (Aug 6, 2011)

clarification:

```
Server1 ---internet---(em0)---Freebsd Box1---(em1)---Server2
                 |----(em0)---Freebsd Box2---(em1)---Server2
```
And your want that Server1, Server2, Server3 will be in one network with the aid of VPN service?


----------



## zgabe (Aug 6, 2011)

Server1 tries to communicate with Server2 and Server3 which are in different LANs. These LANs are behind FreeBSD boxes as I showed in the original post. I cannot change the architecture, I need solution for this scenario.


----------



## nbari (Sep 8, 2011)

Have you solved your problem? I have the same situation


----------



## zgabe (Sep 9, 2011)

Unfortunately no


----------

