I am trying to set up IPSec tunnels in an environment where the external interface of the router/tunnel box has a NAT'd address using netfilter, and for some reason the inbound packets arn't being DNAT'd as I want them.
It looks, from the error messages out of IPSec, that IPSec might be seeing the packets before the PREROUTING routine in iptables (which is where the DNAT gets done) and hence dropping the packets before they get to prerouting. Either that, or I have a screwed DNAT rule, but it looks OK and an almost identical one does work for UDP port 500 which is the key exchange for the IPSec tunnel setup. It just doen't seem to want to work for protocol 50 (esp) or for protocol 51 (ah). BTW, I am having to DNAT because the upstream carrier uses RFC1918 addresses at their interface. Does anyone have any ideas on this problem. Which is first - chicken or egg? -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "I believe that forgiving them [terrorists] is God's function. Our job is simply to arrange the meeting." - General "Storm'n" Norman Schwartzkopf -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
