On Friday 2012-10-12 22:22, Stephen Clark wrote: > Hello, > > I have the following setup: > > ipsec tunnel 10.255.3.128/25 - pub add1 <-> pub add2 - 10.255.5.128/25 > > trying to SNAT remote private address 10.255.5.128/25 to make it appear like it > was local 10.255.3.254 The left endpoint has 10.255.3.128/25 declared as local, so if the left side is to respond to packets which have 10.255.3.254 as source address, that reply will be delivered on its own side (the left side), and never the tunnel. This is like trying to SNAT all your home traffic that is supposed to go to the internet to 192.168.1.1 -- unroutable for the Internet. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
