Transparent routing with Freeswan1

This setup was given by Dominique Blas.

Bridge/router configuration

              br0 (192.168.100.254)
           +-------------------------+
           !                         !          192.168.100.253 +------------+
-- eth0 ---+                         +- eth1 ---------/---------+   Router   +---> Internet
  agency   !                         !            Cross         +------------+
   LAN     +-----------+-------------+            Cable
                       !
                       !    ipsec0
                       /    (192.168.100.254)
                       !
                       v
          Corporate network (192.168.0.0/19)

Stations configuration

Now the challenge

One can ask why being so complicated. It's enough to configure default gateway (or a list a subnet in the routing table) on the stations to point towards the br0 address and the router will do its job routing toward intranet or towards Internet.
Perfectly exact.

Yes but imagine you have several dozens of such local stations without DHCP to manage their network configuration
and you are thousands of miles away. You can simply send the machine, ask someone to plug it in the router and in the hub with the correct cables you've provided.
That's all.

A solution

So 

ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 192.168.0.0/19 \
-j dnat --to-dst  $MAC_ADDR_OF_IPSEC0 --dnat-target ACCEPT

actually works and is enough for the challenge.

A notice on $MAC_ADDR_Of_IPSEC0.
Since the rule is set before ipsec is launched the mac address of ipsec0 is not set at this time. This doesn't matter since ipsec0's mac address will be the same as that of the outbound interface that is equal to eth1's mac address.

Hence this rule: 

ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 192.168.0.0/19 \
-j dnat --to-dst $MAC_ADDR_OF_ETH1 --dnat-target  ACCEPT

Of course that's only the first step. One can then take into account a few other things: