Subject: Re: ipsec/tunnel for private spaces... etc.
To: Nick Holmes <>
From: Mipam <>
List: tech-net
Date: 01/22/2001 11:36:43
On Mon, Jan 22, 2001 at 03:37:26PM +0000, Nick Holmes wrote:

> I added an IPNat configuration to take "map le0 ->" - 
> prior to other maps on this ip block - theoretically saying "don't change 
> these ones!" - or at least, so I figure... were this to work, I would also 
> add the appropriate proxies.  .. however, the same halt occurred in data 
> exchange accross the interface.

Only explenation would be that pnat rewrites the iphdr with the same
ip address and doesnt leave it alone. So i guess that's not the way
to say to ipnat, leave the traffic in that case alone.
I am wondering if such would be possible at all.
I know, it's not the answer which you wish to hear, but i dont have one.
Walked myself into this situation itself and made a strange 
contruction to add a special route for the ipsec traffic, which means
so much i have a devoted ipsec router which only deals with traffic
destined for the vpn and the other machine does natting and
deals with all the other traffic. It's not nice at all, cause in
every machine in the network you got to add routes, but
it's for now the only way i got this stuff to work and being able
to have access to the internet from a private ranges of machines