Hi All,
I require some guidance on achieving a challenging work. I need to added the public Ip address different from that
of local ip address in the inner IP header before passing it to IPSec processing . I have a tunnel mode policy based on
public ip address and corresponding sa. Later the outer Ip header added by ipsec layer need to contain local ip address.

I tried doing the same by using a SNAT using the command
iptables -t nat -A POSTROUTING -s 172.16.8.36 -d 172.16.8.38 -j SNAT --to 172.16.8.2

Ipsec policy and sa details

add 172.16.8.2 172.16.8.38 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

add 172.16.8.38 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

spdadd 172.16.8.2 172.16.8.38 any -P out ipsec
          esp/tunnel/172.16.8.36-172.16.8.38/require;

spdadd 172.16.8.38 172.16.8.2 any -P in ipsec
          esp/tunnel/172.16.8.38-172.16.8.36/require;

 
/* Packet from UE in case of UDP encapsulated Tunnel Mode */
       --------------------------------------------------------------
        |OUTER.| ESP | Inner IP    |     |      |   ESP   | ESP|
        |IP    | Hdr |  Header     | TCP | Data | Trailer|Auth|
        --------------------------------------------------------------         

The contents of the above shown Packet w.r.t IP headers are interpreted  as below

Outer IP adder
SRC → Private IP address of UE
DEST →X IP address

Inner IP adder
SRC → Public IP address of UE
DEST → X IP address

 # ping 172.16.8.38
PING 172.16.8.38 (172.16.8.38) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

But i was not successful in sending the first out going esp packet, is there a way to achieve the same.

Thanks and Regards
Naveen