[Openswan Users] SNAT vpn issue ... NAT-T kernel patch?

[ted leslie]

Sending again .. subject blanked for some reason...

This is a re-post of the first posting i made to the list a few weeks ago,
i go no response, but then i don't even know if it got posted.
Maybe no one could help? but if anyone has any ideas .......



I have converted from 2.4 - > 2.6 kernel and thus loose  ipsecX interfaces.
If i have a tunnel that i use my true source address on , it works,
but if i SNAT my source IP on the way out (before the tunnel) as i did in 2.4 kernel,
the packet doesnt get ESP'd , it just gets routed out normal.

So it appears that the ipsec "match" happens first?
and if a SNAT happens, one is SOL ?

i am reading stuff about NAT-T kernel patch, etc, but i am not sure this helps me?
and i can't really alter the kernel on this device at this time.

i just happen to have two devices, so to temporarily fix it,
i do a SNAT on a different device, then route the packet to the VPN gateway, which 
because it see the  source and destination IP's exactly as it want them to 
match the VPN gateway route, it ESP's the packet and it works fine,

but surely i can do all this on the one box,
i.e. iptables, and openswan on a single linux box, and SNAT, and have it work?

i see hints that  iproute2, iptables mangle and mark, and a bunch of other voodoo might
provide a trick to making this work?

Any help would be appreciated.

-tl