IPSEC/NAT/gif interaction question.

[Jaye Mathisen]

We seem to have an issue where traffic going over an IPSEC
tunnel is getting tunneled, before it hits our NAT process...


For example.


 Node A, running NAT on its "external" interface" sis0 which has an IP of 10.177.1.1
         has an interface sis1 which is its "internal" interface with an IP of 192.168.0.1.
         has a default route of 10.177.1.254.
         has an ipsec tunnel on gif0, going from 10.177.1.1 to a public-routable IP, call it a.b.c.2
                with publicly-routable IP's on both ends of the tunnel.


 Node B, has an interface sis0 of 10.177.1.254,
         has an interface sis1 of a.b.c.3.
         knows how to route the traffic back and forth between tunnel
         endpoints.


 Node C, is the VPN termination, it has an address of a.b.c.4 and
         has the corresponding gif interface from nodeA.




The tunnels all come up and move traffic successfully, and ftp/telnet from
Node A to the world works just fine.


The problem is that then we fire up Natd aliased to the public
IP address bound to the gif0 interface, traffic from the inside
network seems to hit ipsec, and get tunneled before it his
the natd process, althogh we do have the necessary divert rule,
and have natd running on the external interface. (sis0).

I have tried aliasing the node A endpoint to a physical interface,
and a loopback, and nothing seems to work.

If I look at the traffic coming in on node C, I see the esp traffic
tunneled, but the source addresses are the 192.168.0 IP's fromthe
internal network, not the nat'd IP's.

What am I missing here?