> Does this rule apply in the direction you do SNAT or to reply packets? > Please post the rules including IP addresses. After a lot more testing and tweaking it seems to be a bug in Open/SWAN in combination with the 2.6 ipsec kernel implementation. If I create TWO connections in /etc/ipsec.conf, one with the original source address AND one with the SNATted source address, everything works as expected. So apparently the bug is not in netfilter :-/ With ipsec configured as stated, it works with SNAT and DNAT like a charm, correct, complete policy information is available in all rule sections I use (filter-FORWARD, nat-PREROUTING and nat-POSTROUTING) :-) Sorry for the fuzz. - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
