Er, yes, SNATted. Silly fingers, won't type what's in my head. I'll have a look at the link, but on the face of it the Linksys glossies seem to say it should work just fine absent the iptables middleman - in other words, the router doing DHCP on the "inside" with a class C private net, and knowing how to route multiple IPSec passthrough connections to their appropriate internal destinations. That doesn't seem, at first glance, to square with "it's an IPSec problem" - but maybe the Linksys documentation is... Optimistic. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Daniel Lopes Sent: April 5, 2005 10:10 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Iptables, nat, and IPSec dave beach schrieb: > I have a class C private net behind both a dedicated linux/iptables > box and a Linksys BEFSR41 broadband router. Traffic outbound from the > iptables box to the router is DNATted to that machine's "external" > (but still private) IP by iptables, and NATted again by the router to ITS external (public) IP. > Everything works fine, except... > > I need to be able to run two concurrent passthrough IPSec sessions > outbound through that configuration. Singly, they work fine. When run > concurrently, the second one to try and connect to the office VPN (the > IPSec requirement) fails. > > Digging through Linksys documentation reveals that this particular > router will not support more than one passthrough IPSec session. > Before I go and drop money on a replacement router (such as the > BEFSX41), are there inherent limitations with iptables (or, probably > more accurately) with NAT/IPSec generally, that would render such a > purchase a waste of money in that it wouldn't solve my problem? > > Of course, I COULD bypass the iptables box and plug the second > connecting device right into the (new) router, but I'd rather not do > that if I don't have to. > > It´s an IPSec problem. I don´t want to go into detail but you probably should try NAT-Traversal. For the theory http://www.ipsec-howto.org/x180.html And the outbound traffic from the linux box to the router probably is SNATed ;).
