Hi Stephen, On Fri, 7 Oct 2011, Stephen Clark wrote:
What is the reasoning for having SNAT happen before ipsec encryption?
You might well want to SNAT or MASQUERADE packets going through the tunnel, to have them fit within the tunnel's subnet, for example if you add a new local subnet and you don't want to reconfigure thousands of clients.
It forces one to add special rules in the NAT table to keep this from happening
You mean "iptables -t nat -A POSTROUTING -m policy --pol ipsec -j ACCEPT"? Doesn't seem very onerous to me.
Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
