Iptables, nat, and IPSec

Daniel Lopes lopsch at lopsch.com
Wed Apr 6 04:10:11 CEST 2005

dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables box and
> a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
> to the router is DNATted to that machine's "external" (but still private) IP
> by iptables, and NATted again by the router to ITS external (public) IP.
> Everything works fine, except...
> I need to be able to run two concurrent passthrough IPSec sessions outbound
> through that configuration. Singly, they work fine. When run concurrently,
> the second one to try and connect to the office VPN (the IPSec requirement)
> fails.
> Digging through Linksys documentation reveals that this particular router
> will not support more than one passthrough IPSec session. Before I go and
> drop money on a replacement router (such as the BEFSX41), are there inherent
> limitations with iptables (or, probably more accurately) with NAT/IPSec
> generally, that would render such a purchase a waste of money in that it
> wouldn't solve my problem?
> Of course, I COULD bypass the iptables box and plug the second connecting
> device right into the (new) router, but I'd rather not do that if I don't
> have to.
It´s an IPSec problem. I don´t want to go into detail but you probably 
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is 
SNATed ;).

More information about the netfilter mailing list