On Wed, Oct 22, 2003 at 01:26:59PM +0000, dimitri borjac spoke thusly: >but actually i think i wasn't clear enough in my last mail : is it >possible to use iptables in order to NAT different VPN established between >different NATted hosts and 1 remote gateway (the same gateway for all of >them) ? Such a NAT would be made by watching both addresses, ports and >SPIs... OK, understood the scenario. According to the man page, there is the --espspi match. You'd need to hardcode the SPIs between the relevant IPsec hosts. You might need to do some other bits and pieces also. I cannot say for certain whether conntrack will handle this natively, you might need to use one of the ROUTE matches also. This is a guess, I might be talking out of my ass. >In other words : is it possible for iptables to go and check the SPI field >in the ESP Header of the IPsec packet in ESP tunnel mode ? See above.
