[Ipsec-tools-users] IPSEC + NAT VPN problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm trying to get a simple VPN going here.
Essentially, I have 2 subnets: A (192.168.0.0/24)
and B (192.168.1.0/24) on opposite ends of the VPN.
Both subnets are NAT-ed and have 1 public static IP
(X.X.X.X and Y.Y.Y.Y). See the attachment for
a diagram.

This is how I'm setting up the VPN/NATs (all boxen
are running on 2.6.24.4 Linux kernels with
ipsec-tools 0.7):

###############################################
# VPN / NAT for subnet A:
###############################################
ifconfig eth0 192.168.0.1 # internal IP for subnet A
ifconfig eth1 X.X.X.X     # public IP for subnet A

echo 1 > /proc/sys/net/ipv4/ip_forward
route add default gw <ISP assigned gateway IP>

# setup NAT
iptables -A POSTROUTING -o eth1 -j MASQUERADE

# setup IPSEC tunnelling...
setkey -c <<EOF
flush;
spdflush;

add X.X.X.X Y.Y.Y.Y esp 0x201 -m tunnel -E 3des-cbc
  0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  -A hmac-md5 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;

add Y.Y.Y.Y X.X.X.X esp 0x301 -m tunnel -E 3des-cbc
  0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  -A hmac-md5 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB;

# NOTE: currently using X.X.X.X instead of
# 192.168.0.0 for the source IP due to the
# NAT issue
spdadd X.X.X.X/16 192.168.1.0/24 any -P out ipsec
  esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;

# NOTE: currently using Y.Y.Y.Y instead of
# 192.168.1.0 for the source IP due to the
# NAT issue
spdadd Y.Y.Y.Y/16 192.168.0.0/24 any -P in ipsec
  esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
EOF

#################################################
# VPN / NAT for subnet B:
#################################################
ifconfig eth0 192.168.1.1 # internal IP for subnet B
ifconfig eth1 Y.Y.Y.Y     # public IP for subnet B

echo 1 > /proc/sys/net/ipv4/ip_forward
route add default gw <ISP assigned gateway IP>

# setup NAT
iptables -A POSTROUTING -o eth1 -j MASQUERADE

# setup IPSEC tunnelling...
setkey -c <<EOF
flush;
spdflush;

add X.X.X.X Y.Y.Y.Y esp 0x201 -m tunnel -E 3des-cbc
  0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  -A hmac-md5 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;

add Y.Y.Y.Y X.X.X.X esp 0x301 -m tunnel -E 3des-cbc
  0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  -A hmac-md5 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB;

# NOTE: currently using Y.Y.Y.Y instead of
# 192.168.1.0 for the source IP due to the
# NAT issue
spdadd Y.Y.Y.Y/16 192.168.0.0/24 any -P out ipsec
  esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;

# NOTE: currently using X.X.X.X instead of
# 192.168.0.0 for the source IP due to the
# NAT issue
spdadd X.X.X.X/16 192.168.1.0/24 any -P in ipsec
  esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
EOF

With this setup, I'm able to have a host on subnet
A connect to a host on subnet B. However, the host
on subnet B shows the source address of the client
as the public IP (X.X.X.X) instead of the internal
one.

I believe this is because the packets are NAT-ed
first, then IPSEC encapsulated. Is there a way to
reverse this behavior? ie IPSEC encapsulation first,
then NAT.

Regards.
Sjei.