Dear Timo,
This what is expected in a UE as per TS 33.203. This feature should be present in UE as UDP encapsulated Tunnel mode
if UE detects it is behind NAT.

This out going packet from UE should look like
Packet from UE in case of UDP encapsulated Tunnel Mode */
        |OUTER.| UDP | ESP | Inner IP    |     |      |   ESP   | ESP|
        |IP    | Hdr | Hdr |  Header     | TCP | Data | Trailer|Auth|
The contents of the above shown Packet w.r.t IP headers are interpreted  as below
Outer IP adder

SRC → Private IP address of UE
DEST → PCSCF IP address
Inner IP adder
SRC → Public IP address of UE
DEST → PCSCF IP address


Timo Teräs wrote:
Naveen BN wrote:
I require some guidance on achieving a challenging work.* *I need to added the public Ip address different from that
of local ip address in the inner IP header before passing it to IPSec processing . I have a tunnel mode policy based on
public ip address and corresponding sa. Later the outer Ip header added by ipsec layer need to contain local ip address.

I tried doing the same by using a SNAT using the command
iptables -t nat -A POSTROUTING -s -d -j SNAT --to

That sounds just wrong. You should add both public IP's to your
server. Bind the processes to the public IP they use, and use
the other as gateway address for the IPsec SA.

- Timo