Hello, I suppose you use freeswan for the linux ipsec stack. If this is the case, isakmp packets are handeled in a classical way so, the behavior is the one you should expect and it seems to be the case. For ipsec packet (ah and esp), the explained behavior make sense: the packet arrive in the external physical interface, go trough the NAT code (effect, the destination ip address is changed), then the ipsec code is called and drop the packet as it is ipsec protected , but does not match the security policy (the lookup is done based on selectors which uses the ip address, and should (freeswan does not support it) use the src port and dst port and protocol type (at ip level). Another problem is that if you use AH, the authentication HMAC function will fail as well as it does include the ip header header as well.
I reckon the solution in your case is to not NAT esp and ah packet on your physical interface, but only the processed ip packets coming from ipsecX interface and it should work. Hope that help, Cheers, JeF > I am trying to set up IPSec tunnels in an environment where the external > interface of the router/tunnel box has a NAT'd address using netfilter, > and for some reason the inbound packets arn't being DNAT'd as I want them. > > It looks, from the error messages out of IPSec, that IPSec might be seeing > the packets before the PREROUTING routine in iptables (which is where the > DNAT gets done) and hence dropping the packets before they get to > prerouting. Either that, or I have a screwed DNAT rule, but it looks OK > and an almost identical one does work for UDP port 500 which is the key > exchange for the IPSec tunnel setup. It just doen't seem to want to work > for protocol 50 (esp) or for protocol 51 (ah). > > BTW, I am having to DNAT because the upstream carrier uses RFC1918 > addresses at their interface. > > Does anyone have any ideas on this problem. Which is first - chicken or > egg? > > -- > Howard. > LANNet Computing Associates - Your Linux people > Contact detail at http://www.lannetlinux.com > "I believe that forgiving them [terrorists] is God's function. > Our job is simply to arrange the meeting." > - General "Storm'n" Norman Schwartzkopf > > -- > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > -- -> Jean-Francois Dive --> [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug