# AIX <-> Linux IPSec w/NAT

## sbelgard

I am trying to establish IPSec w/sharedkey between AIX 5.3 and RH Linux 2.6.18.  The AIX is reached via NAT only.  

AIX actual IP:x.x.x.x

Linux actual IP: y.y.y.y

Linux needs to use z.z.z.z to reach AIX

An AIX ping to Linux shows source as z.z.z.z on Linux side

A Linux ping to AIX shows source as y.y.y.y on AIX side

I have no problem with direct (no NAT) IPSec between AIX & Linux where no GW is involved.

I kick off racoon on Linux first and then do AIX side.  AIX gets "Active" on phase 1 and 2 but ant TCP or ping traffic is one sided.  On Linux I do see SPI values 

for x.x.x.x -> y.y.y.y  and y.y.y.y -> x.x.x.x 

Any sample config files would be appreciated.

Best,

Scott

----------

## blu3bird

Did you enable nat traversal on both systems? If yes, try to set it to force in racoon.conf.

```
remote z.z.z.z {

  nat_traversal force;

}

```

If nat traversal is disabled, isakmp traffic will still work, because it uses udp.

But "real" vpn data packets (esp) won't go through the nat gateway.

----------

## sbelgard

 :Very Happy:  Success!  Linux side needed a few spdadd statements

"spdadd y.y.y.0/24 x.x.x.0/24 any -P out ipsec esp/tunnel/y.y.y.y -z.z.z.z/require;"

"spdadd x.x.x.0/24 y.y.y.0/24 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y /require;"

"spdadd x.x.x.0/24 y.y.y.0/24 any -P fwd ipsec esp/tunnel/z.z.z.z-y.y.y.y /require;"

----------

