I googled and saw earlier discussions about this here, but couldn't find a resolution. Has anyone figured out an answer to this: On Wed, 2003-10-01 at 05:16, Herbert Xu wrote: > Hi: > > I have received bug reports saying that SNAT does not work when the > packets have to be SNATed before they can enter an IPSEC tunnel > under the 2.6 IPSEC stack. > > The problem is that SNAT can only be performed in POSTROUTING while > IPSEC policy lookups are done at the same time as the route lookup. Alternatively, here's the scenario that I'd take any reasonable pragmatic answer to: When at home, I have my linux laptop connect via IPSEC over 802.11b to a base station connected to a separate interface on my linux desktop (NAT), then a separate IPSEC link from the desktop, via a little commercial home router (NAT) over the net, through a firewall (NAT) to to a VPN server in the office (and further beyond via a router between non-routable subnets there). This allows me to get from either my laptop or my desktop at home over a single VPN link to all machines in my office. I need a solution that (A) keeps the wireless link secure, (B) keeps the link to the office secure, and (C) traverses the NAT at the entrance to my house, and (D) traverses the NAT at the entrance to the office. It all just works with 2.4 and FreeSwan 1.99 Linux 2.4 / FS 1.99 Laptop (eth1 192.168.8.9, ipsec0 192.168.8.9) ----> Linux 2.4 / FS 1.99 Desktop (eth1 192.168.8.4, ipsec1 192.168.8.4) --> SNAT to 192.168.9.4 --> (eth0 192.168.9.4, ipsec1 207.x.x.x, rightnexthop 192.168.9.1) --> Generic Home Router (inside 192.168.9.1) --> SNAT (outside 207.x.x.x) --> (internet) --> Major Mfg Firewall (67.x.x.x) --> NAT to 192.168.1.55 --> Linux 2.4 / FS 1.99 VPN Box (eth0 192.168.1.55, ipsec0 67.x.x.x) --> 192.168.1.X Any and all insights appreciated. Yes, I can and will code to solve it. This is the only remaining issue that keeps me unable to migrate to 2.6.x. -Brad - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
