[Openswan Users] How to identify esp traffic with iptables when it is SNATed?

Brad Johnson bjohnson at astrocorp.com
Tue Oct 21 17:48:38 EDT 2008

I can not figure out how to correctly match ESP traffic when the traffic 
is Source NAT'ed.
For traffic that is not SNAT'ed, a rule like this matches correctly:

iptables -t mangle -A POSTROUTING -p esp -o eth0 -d <remote-ip> -j 

But apparently the traffic is not yet encapsulated in mangle POSTROUTING 
(or nat POSTROUTING) when it is going to be SNAT'ed.
I also tried this policy match, which also does not work for SNAT:

iptables -t mangle -A POSTROUTING -o eth0 -m policy --dir out --pol 
ipsec --mode tunnel --tunnel-src <local-ip> --tunnel-dst <remote-ip> -j 

We are running OpenSwan on a Gentoo 2.6.24 kernel (NetKey) on our 
gateway. We have the problem with traffic coming from one of our LAN's 
and going out the tunnel. We are not specifying a leftsubnet in our 
ipsec.conf file.

Any help would be appreciated.
Brad Johnson

More information about the Users mailing list