Re: IPSec + NAT interaction in Linux 2.6

From: Jose Luis Domingo Lopez (
Date: Sat Aug 09 2003 - 05:02:28 EST

On Friday, 08 August 2003, at 18:02:34 -0700,
Ranjeet Shetye wrote:

> I am trying to understand if NAT takes place before or after IPSec.
> Ideally, for IPSec + NAT to work smoothly, the IPSec sub-system should
> be between the NAT sub-system and the Internet. Any explainations here
> would be greatly appreciated.
I can't help you with the kernel programming part, but if you want to
know whether IPsec or NAT happen first, maybe a simple test could give
you some clues. Configure the box with two interface cards, enable
ip_forward, add a SNAT iptables rule, and then create a Security Policy
for IPsec using "setkey".

If you use the real (original source IP) address in the SP and it
matches, then IPsec happens before SNAT. Try again with DNAT and several
other combinations of NAT and IP in the SP, and see if the policy
matches traffic or not (use "setkey -DP" and see if "lastused" updates).

Hope this helps.

Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test2-mm2)
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at