I'm trying to route public-to-public IPs over an IPSec tunnel. However, the src IP is not "interesting" to the Cisco's IPSec engine because it doesn't appear to be getting translated to the outside IP before being evaluated by the Cisco's IPSec engine.

From WEST to EAST, my public-to-public IPSec works fine: I can make a request from 192.168.0.5:any to 200.200.200.200:80 because the Vyatta does the NAT translation before the IPSec tunnel inspects the traffic, so the remote-subnet and local-subnet matches (see below). However from EAST to WEST, I see a deny in my Cisco logging buffer for Deny tcp src inside:192.168.1.5/59195 dst outside:100.100.100.100/80 which leads me to believe that the IPSec engine is not matching the encrypt_acl because the address has not been translated yet.

Any ideas?

WEST (Vyatta):

• inside: 192.168.0.0/24
• inside host: 192.168.0.5/24
• outside: 100.100.100.100
• IPSec local-subnet: 100.100.100.100/32
• IPSec remote-subnet: 200.200.200.200/32

EAST (Cisco):

• inside: 192.168.1.0/24
• inside host: 192.168.1.5/24 (DNAT'ed on port 80 to outside)
• outside: 200.200.200.200
• IPSec local-subnet: 200.200.200.200/32
• IPSec remote-subnet: 100.100.100.100/32