On Mon, 19 May 2025 06:39:06 +0000 Reinhard Vicinus via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:
> I am trying to get an 1:1 NAT configured prior to sending the > packages into an IPsec tunnel, but as far as I can tell the NAT is > never applied and the packages also never get into the tunnel. 1:1 nat and IPsec are not compatible. You need to do SNAT and DNAT with IPsec. With SNAT you need to understand that you MUST allow packets to leave without IPsec out, because original source ip does not match your IPsec tunnel. And only after SNAT has happened, packet will go to the tunnel (because after SNAT has happened, source ip has changed to match IPsec policy). Inbound (DNAT) is easier, because packet arrives via IPsec and you can just DNAT to correct destination. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
