netbsd-users: selecting the source address for outgoing connections

Subject: selecting the source address for outgoing connections
To: None <netbsd-users@NetBSD.org>
From: Geert Hendrickx <ghen@telenet.be>
List: netbsd-users
Date: 11/30/2006 15:10:00

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

consider the following setup: two LAN's (192.168.1/24 and 192.168.2/24)
VPN-connected via two NetBSD/OpenVPN routers with virtual interfaces on
10.0.0/24.

       192.168.1.4
	    |
192.168.1.2 |   192.168.1.3
    |       |        |
    |       |        |   LAN A
    \-------+-------/
	    |
	    |	192.168.1.1
	VPN-router A
	    |   10.0.0.1
	    |
            |
	    |virtual link
            |
	    |
	    |   10.0.0.2
	VPN-router B
	    |  192.168.2.1
	    |
    /-------+--------\
    |	    | 	     |   LAN B
    |       |        |
192.168.2.2 |    192.168.2.3
            |
        192.168.2.5

Traffic between arbitrary nodes on the two LAN's works fine, except for traffic
originating from the VPN-routers themselves, with destination in the other LAN.
Traffic from e.g. VPN-router A (192.168.1.1) to host 192.168.2.2 in lan B has
source address 10.0.0.1, which is unknown to the target host.  Traffic can flow
if I add a route for 10.0.0/24 on the target host itself or its default gateway,
but I'd prefer the LAN hosts to be completely unaware of the virtual 10.0.0.x
addresses.

Can I force both VPN-routers (which are running NetBSD) to use their "internal"
IP (192.168.x.1) as source address for outgoing connections on the "external"
interface (10.0.0.x) ?

For IPv4 I am using NAT to accomplish this.  The following line in ipnat.conf
does what I want:

> # hide virtual IP over VPN (packets appear to come from 192.168.1.1)
> map	tun0	10.0.0.0/24	->	192.168.1.1

But for IPv6, NAT is not an option (at least not with ipfilter).  Is there a
more generic solution?  I've found several threads about this in the archive
(also regarding aliases on the same interface) but no concrete solution...

Any ideas?

	Geert

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iQEVAwUBRW7mOILS9urEu56fAQqkkQf/ZP9C1g1CwAxaL1H8pHZD9U5OlITnQyS2
0oFE1Ylwl8FigkHoSh6wyfcL2wiiO6w+gjNAmFaWhFKQ8Z6bpBC61BNbJdbyTmp4
mieyCHoDzOiZ0M/ssF2shtjaHO9oe1H+BIZIYVXlM9LoHa/+Sp1KEl6yaXcGglOk
c3OHD2qx82OQVwy4cMZkFA5fJ5yUqCO8k50E2g7IeOt8sNkaDuSepMxhLzCFUTrQ
0tQKf7tdeTQA44rxR+2BxsNpe//B1WxjsGoWzuL6no/Mu1J1kgM/xhlteK/54zNK
zOb0LSEmiPy7xYu+4o7twEvJ0SY4WxN1UR+tULEAObGQl7vXabeZ3Q==
=REKP
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--