Esteban wrote: > In the other side, when an ESP packet comes from VPN2 with destination > my Linux GW, I try to DNAT it to my VPN1. But same thing, I can see it > with tcpdump on my external interface, but I still can't see it in the > first NAT PREROUTING chain. ... > > My Linux GW is a debian with 2.4.19-grsec kernel.
I've only worked with configurations like yours under the 2.2 kernel. On that kernel life is a lot easier if you apply the ip_masq_ipsec patches. netfilter in 2.4 seems to include ipsec masquerading modules by default so you probably won't need to patch. On my system here are the two relevant modules: /lib/modules/2.4.20-k7/kernel/net/ipv4/netfilter/ipt_ah.o /lib/modules/2.4.20-k7/kernel/net/ipv4/netfilter/ipt_esp.o Perhaps try loading these two modules to see if improves the situation. Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]