On Friday, 08 August 2003, at 18:02:34 -0700, Ranjeet Shetye wrote: > I am trying to understand if NAT takes place before or after IPSec. > Ideally, for IPSec + NAT to work smoothly, the IPSec sub-system should > be between the NAT sub-system and the Internet. Any explainations here > would be greatly appreciated. > I can't help you with the kernel programming part, but if you want to know whether IPsec or NAT happen first, maybe a simple test could give you some clues. Configure the box with two interface cards, enable ip_forward, add a SNAT iptables rule, and then create a Security Policy for IPsec using "setkey". If you use the real (original source IP) address in the SP and it matches, then IPsec happens before SNAT. Try again with DNAT and several other combinations of NAT and IP in the SP, and see if the policy matches traffic or not (use "setkey -DP" and see if "lastused" updates). Hope this helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test2-mm2) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html