Hallo, I like to handle packages comming through an ipsec tunnel with dnat. But that works not completly. It looks as if the replypackages on the PREROUTED request aren't handeld. Or did I have just problems to understand it? Would be great if somebody can help me. Sorry, my english isn't very well and my computer knowlage even worse, but I wrote this for my husband who can't speak english at all. I really hope somebody can help us so my husband can do other things than hacking on his machine. 0 0 DNAT all -- ipsec0 * 10.10.200.0/24 172.28.2.162 Nov 29 16:59:39 fw kernel: IN=ipsec0 OUT=eth0 SRC=10.10.200.50 DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=30478 SEQ=62721 Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1 SRC=192.168.168.80 DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=17742 PROTO=ICMP TYPE=0 CODE=0 ID=30478 SEQ=62721 here more information: Computer A: IP 192.168.168.80 Reliant Unix Gateway A: eth0 192.168.168.59 eth1 130.168.100.1 # extern und ipsec-dev Kernel 2.4.4-SuSE, FreeSWAN 1.92 + X509 Gateway B: eth0 10.10.200.20 ippp0 130.168.200.2 # extern and ipsec-dev Kernel 2.4.4-SuSE, FreeSWAN 1.92 Computer B: IP 10.10.200.50 Linux Gentoo Computer A likes to reach Computer A via IP 172.28.2.162. Gatway A: ipsec.conf excerpt conn gg right=130.168.200.2 rightsubnet=10.10.200.0/24 left=130.168.100.1 leftnexthop=130.168.100.101 # leftsubnet=192.168.168.0/24 leftsubnet=172.28.2.160/28 leftupdown=/usr/local/lib/ipsec/gg_ud.sh authby=secret auto=add pfs=no Gateway B: ipsec.conf excerpt conn gg right=130.168.200.2 rightsubnet=10.10.200.0/24 rightnexthop=130.168.1.1 left=130.168.100.1 # leftsubnet=192.168.168.0/24#!/bin/sh leftsubnet=172.28.2.160/28 authby=secret The connection works if the excluded leftsubnet are used and leftupdown is excluded, Computer B can reach Computer A. Gatway A:>cat /usr/local/lib/ipsec/gg_ud.sh #!/bin/sh # case "$PLUTO_VERB:$1" in up-client:) iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j DNAT --to 192.168.168.80 ;; down-client:) iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j DNAT --to 192.168.168.80 ;; :status) iptables -t nat -nvL PREROUTING ;; esac The tunnel get established: Gateway A:> ipsec eroute 0 172.28.2.160/28 -> 10.10.200.0/24 => tun0x1006@xxxxxxxxxxxxx Gateway A:> iptables -t nat -nvL PREROUTING Chain PREROUTING (policy ACCEPT 435120 packets, 38864020 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- ipsec0 * 10.10.200.0/24 172.28.2.162 to:192.168.168.80 Gateway B:> ipsec eroute 0 10.10.200.0/24 -> 172.28.2.160/28 => tun0x1004@xxxxxxxxxxxxx a ping for testing, Computer B:>ping 172.28.2.162 PING 172.28.2.162 (172.28.2.162): 56 octets data Gateway A:> ipsec eroute 0 172.28.2.160/28 -> 10.10.200.0/24 => tun0x1008@xxxxxxxxxxxxx Gateway A:> iptables -t nat -nvL PREROUTING Chain PREROUTING (policy ACCEPT 435490 packets, 38906905 bytes) pkts bytes target prot opt in out source destination 155 13020 DNAT all -- ipsec0 * 10.10.200.0/24 172.28.2.162 to:192.168.168.80 Gateway B:> ipsec eroute 278 10.10.200.0/24 -> 172.28.2.160/28 => tun0x1006@xxxxxxxxxxxxx Gateway A:> iptables -I FORWARD -j LOG Gateway A:> tail -f /var/log/messages Nov 29 16:59:39 fw kernel: IN=ipsec0 OUT=eth0 SRC=10.10.200.50 DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=30478 SEQ=62721 Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1 SRC=192.168.168.80 DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=17742 PROTO=ICMP TYPE=0 CODE=0 ID=30478 SEQ=62721 Thanks Ulla -- HoHoHo! Seid Ihr auch alle schön brav gewesen? GMX Weihnachts-Special: Die 1. Adresse für Weihnachts- männer und -frauen! http://www.gmx.net/de/cgi/specialmail +++ GMX - die erste Adresse für Mail, Message, More! +++