Couldn't he just SNAT the packets on his side when they become un- encapsulated? I'm doing this on a couple of my vpn links. Dan On Tue, 2005-04-12 at 15:08 -0300, Eduardo Spremolla wrote: > I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by > a ipsec tunnel running on kernel 2.6 native ipsec. So far so good. > > Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0 > because he had a ip conflict. I cant SNAT because when the packet goes > to nat post it has been encapsulated in ESP and had the firewalls > address, as you can see in the bottom log snipe.I try to use NETMAP in > mangle PREROUTING, but it changes the dest ip , not the source. > > Is this possible? > > Thanks in advance for any clue. > > LALO
