From: "noa levy" <noalevy@xxxxxxxxx> Date: Tue, 5 Jun 2007 15:29:47 +0300 > Hi All, > > I have a setup where I need to SNAT traffic that will be going out via > an IPSec tunnel. The NAT must take place before the IPSec > encryption+encapsulation, so I need the packet to first go through > SNAT and then match an IPSec policy. After being IPSec-ified, I need > the packets to go through routing again. > My question: > SNAT takes place in POST_ROUTING. Can IPSec be applied after that? Yes. mangling addresses in packets at POST_ROUTING results in re-lookup policy and re-routing. Then what you need is to configure policy with the address mangled by SNAT. > I > have read that after IPSec the packet gets injected to LOCAL_OUT > again, but when does the actual IPSec policy decision take place? > Won't it happen *before* SNAT? Can I control it? If you don't configure any policy matching packets before SNAT, no policy is applied at the time, of cause. -- Yasuyuki Kozakai
