Marco, What you have included below makes sense. I will take a look at getting 1.3.5 in place. Not sure how long that will take me though. The work around in place is working for me (but I have some 30 entries in there -- wide wan net of IPSEC firewalls). I did read someone about using the policy modules BUT I couldn't find any reference to what version it was in. Now I know :) Thanks, Gary Wayne Smith > >Current working: > >-A POSTROUTING -s 10.0.16.0/255.255.248.0 -d 10.0.32.0/255.255.255.0 -o > >eth1 -j ACCEPT > >-A POSTROUTING -o eth1 -j MASQUERADE > > I havent't understood your message. > Since 2.6.16 outgoing ipsec packets are seeing twice: > clear & encrypted on the outgoing interface (which if > I correctly understand is eth1 for you). > You must upgrade to iptables >=1.3.5 and take a look > for the new 'policy' match. > Something like this should do the trick (linux will > not snat packets which will be sent through the (any) > ipsec tunnel(s)): > > $IPTABLES -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j > ACCEPT > >
