To netfilter@xxxxxxxxxxxxxxxxxxx on Thu 4/09 05:15 -0400: > I'm having some difficulty doing simple pings over an > IPSEC tunnel using the implementation in 2.6.0-test4 (with > Racoon, and successful Phase 1 and 2, I get the IPSEC SA > fine), in combination with iptables. Nevermind this, I had set the security policy with the wrong /24 on the remote end. It's now working great with IPSEC and doing SNAT only when it doesn't traverse the tunnel. I'm really surprised that it "just works." The IPSEC in 2.6 is very good IMO, basically turnkey. It still would be nice to know where IPSEC fits in to the Netfilter engine (ie, why it does "just work" and not SNAT when it goes over the tunnel), but it works great now...I think RTFS is in order.
