So anyway, it was like, 21:27 CEST Oct 14 2004, you know? Oh, and, yeah,
Sybren Stuvel was all like, "Dude,

> LAN A : 192.168.0.0/24
> /--- Box A ---\ /----- GW A ----\
>| 192.168.0.1 | --- | 192.168.0.129 |
> \-------------/ | | |
> | 80.126.96.52 |
> \---------------/
> |
> internet
> |
> /----- GW B -----\
> | 80.126.213.162 |
> /--- Box B ---\ | | |
>| 10.0.0.2 | --- | 10.0.0.1 |
> \-------------/ \----------------/
> LAN B : 10.0.0.0/24
>
> I want to create a VPN connection from Box A to GW B, so that Box A
> can have a 10.0.1.0/24 address, for instance.
>
> Of course, I could create a VPN between GW A and GW B, but that
> would mean I'd give entire LAN A a tunnel to LAN B, which is
> something I do not want.

Unless you have additonal hosts behind your gateway, you could just
let is nat the outgoing ipsec traffic (as it will, if you just let it
out) and tell the other endpoint ("gw b") to talk to your "gw a". You
might have to set up port forwarding in the reverse direction.

Another option would be to define the encryption domain for your end
of the tunnel to be only the single host, and let the gateways sort
it out. You'd still only be building a tunnel with the single host
having access, but the vpn would be "properly" set up between the two
gateways.

hth.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
21:46:29 up 37 days, 7:13, 11 users, load average: 0.01, 0.02, 0.00
Linux 2.6.8 x86_64 GNU/Linux Registered Linux user #261729