----- Original Message ----- > leftsubnet=192.168.7.0/24 > #right side is hq > right=xx.xx.x.162 > rightsubnet=192.168.11.0/24 ... > # Generated by iptables-save v1.3.8 on Sat Oct 1 17:30:36 2011 > *nat ... > -A POSTROUTING -o eth0 -j SNAT --to-source xx.xx.xxx.64 ... Sure enough, this could be breaking your outbound IPsec traffic. The source address gets changed with SNAT before the encryption decision. When the time for encryption comes, the source of the packet is no longer part of the rightsubnet, so it no longer looks like it should be encrypted. This might do the trick for you: iptables -t nat -I POSTROUTING -s 192.168.7.0/24 -d 192.168.11.0/24 -j ACCEPT This kicks packets with a source in the leftsubnet heading for a destination in the rightsubnet out of the NAT table before any translations can take place. Then they can be encrypted. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
