Iptables, nat, and IPSec

dave beach drbeach at rogers.com
Wed Apr 6 03:47:02 CEST 2005

I have a class C private net behind both a dedicated linux/iptables box and
a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
to the router is DNATted to that machine's "external" (but still private) IP
by iptables, and NATted again by the router to ITS external (public) IP.
Everything works fine, except...

I need to be able to run two concurrent passthrough IPSec sessions outbound
through that configuration. Singly, they work fine. When run concurrently,
the second one to try and connect to the office VPN (the IPSec requirement)

Digging through Linksys documentation reveals that this particular router
will not support more than one passthrough IPSec session. Before I go and
drop money on a replacement router (such as the BEFSX41), are there inherent
limitations with iptables (or, probably more accurately) with NAT/IPSec
generally, that would render such a purchase a waste of money in that it
wouldn't solve my problem?

Of course, I COULD bypass the iptables box and plug the second connecting
device right into the (new) router, but I'd rather not do that if I don't
have to.

More information about the netfilter mailing list