IPsec and SNAT

Do not MASQ or NAT packets to be tunneled
If you are using IP masquerade or Network Address Translation (NAT) on either gateway, you must now exempt the packets you wish to tunnel from this treatment. For example, if you have a rule like:

# iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

change it to something like:

# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE

or use passthrough rule
# iptables -t nat -I POSTROUTING 1 -o eth0 -s 10.0.0.0/24 -d 172.16.0.0/24 -j RETURN/ACCEPT

or use policy matching !

with iptables 1.3.5 and a Linux kernel > 2.6.15, IPsec policy matching developed by Patrick McHardy was introduced into Linux Netfilter, changing the behaviour of NAT rules in regard to IPsec tunnels. If you e.g. have a general NAT rule for mapping internal addresses to the external interface and want to exempt tunneled traffic from NAT then you must insert an IPsec policy matching rule in front of the SNAT or MASQUERADE rule in the POSTROUTING chain. This is what I'm doing on my productive system:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir in pol ipsec mode tunnel

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec mode tunnel
MASQUERADE all -- 10.0.0.0/24 anywhere

# iptables -t nat -I PREROUTING -m policy --dir out /
--pol ipsec --mode tunnel -j ACCEPT

# iptables -t nat -I POSTROUTING -m policy --dir in /
--pol ipsec --mode tunnel -j ACCEPT

This may be necessary on both gateways.

get xt_policy's help info

# iptables -m policy --help