iptables issue (udp -> esp)??

[Devaraj Das <ddas@india.hp.com>]

Hi,
I am trying to set up a NAT for VPN access. The clients are in a private
network. To start with, I added just one (and only one) iptables rule in the
gateway (for one particular client-ip-addr):
iptables -t nat -I POSTROUTING 1 -o eth0 -s 10.0.1.2  -j SNAT --to
15.76.97.136

10.0.1.2 can talk (telnet, ping) to any host in 15.76.* network. However, the
communication is problematic when the key-exchange negotiation (using racoon,
version ipsec-tools-0.3) happens. I doubt that the issue has anything to do
with racoon. What happens is that the VPN server 15.76.98.218 receives the
ISAKMP packet in perfect condition and responds back with another. However,
what reaches the client is an ESP packet!!
All port information seems to be lost!

In the tcpdump output below, read ebnt136 as the gateway, lx98218 as the VPN
server.

Here is the tcpdump output on the vpn server machine (when the client starts
the isakmp exchange):
ebnt136.india.hp.com.4500 > lx98218.india.hp.com.isakmp: isakmp: phase 1
I ident: [|sa] (DF)
lx98218.india.hp.com.isakmp > ebnt136.india.hp.com.4500: isakmp: phase 1
R ident: [|sa] (DF)

Here is the output on the client (10.0.1.2):
10.0.1.2:4500 > lx98218.india.hp.com.isakmp: isakmp: phase 1 I ident:
[|sa] (DF)
10.0.1.2:4500 > lx98218.india.hp.com.isakmp: isakmp: phase 1 I ident:
[|sa] (DF)
lx98218.india.hp.com > 10.0.1.2: ESP(spi=0x..., seq=0x...)
lx98218.india.hp.com > 10.0.1.2: ESP(spi=0x..., seq=0x...)

The response packets never reaches racoon on the client.

I am using Linux Kernel 2.6.0 on the client and the server and Linux Kernel
2.4.6 on the gateway. The version of iptables on the gateway is 1.2.2.

Is this an iptables/kernel (on the gateway) issue? Would really appreciate
any help in this regard.

Thanks,
Devaraj.