Which is first - chicken or egg?

Howard Lowndes lannet at lannet.com.au
Mon Apr 15 06:19:22 EST 2002

I am trying to set up IPSec tunnels in an environment where the external
interface of the router/tunnel box has a NAT'd address using netfilter,
and for some reason the inbound packets arn't being DNAT'd as I want them.

It looks, from the error messages out of IPSec, that IPSec might be seeing
the packets before the PREROUTING routine in iptables (which is where the
DNAT gets done) and hence dropping the packets before they get to
prerouting.  Either that, or I have a screwed DNAT rule, but it looks OK
and an almost identical one does work for UDP port 500 which is the key
exchange for the IPSec tunnel setup.  It just doen't seem to want to work
for protocol 50 (esp) or for protocol 51 (ah).

BTW, I am having to DNAT because the upstream carrier uses RFC1918
addresses at their interface.

Does anyone have any ideas on this problem.  Which is first - chicken or

LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
 "I believe that forgiving them [terrorists] is God's function.
 Our job is simply to arrange the meeting."
   - General "Storm'n" Norman Schwartzkopf

More information about the linux mailing list