That's the problem. I don't have control over UDP encapsulation because I don't control the server's end! -----Original Message----- From: Martijn Lievaart [mailto:m@xxxxxxx] Sent: Friday, November 09, 2007 6:02 PM To: Patrick Wong Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: NAT'ing multiple IPsec clients to the same destination IPSec server Patrick Wong wrote: > Way back in 2.0.18 kernel, there was an IPsec connection tracking module > that would allow me to masquerade multiple IPsec clients (eg Cisco VPN > client) all going to the same remote IPsec server onto one external IP > address. This was done with IPsec connection module + ipmasqadm + > ipchains. > > I have never been able to get the above to work on iptables. In the > early days of iptables, I also noticed there was no IPsec conntrack > module. > > If I have only 1 external IP address on my firewall/gateway to SNAT to, > is there a way to support multiple IPSec clients on my internal LAN all > establishing IPSec connections to the same destination IPSec server? > Cisco VPN client supports UDP encapsulation. You have to allow it on the concentrator too, but if that is possible, it should work without specific iptables rules. M4 - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
