Hi all, I'm hoping somebody here may be able to point me in the right direction, as I've been banging my head against a brick wall for a few days now. I have OpenConnect running on my Ubuntu 11.10 system, and it works fine (connect parameters posted below). The problem comes when I want to use my PC as a gateway for other systems on my local network - effectively performing NAT between the eth0 and tun0 interfaces. After connecting, I run the following : iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sysctl -w net.ipv4.ip_forward=1 I then log into another system and route traffic to the remote VPN through my Ubuntu openconnect system. This appears to work fine for ICMP, SSH, MySQL and so on - but for some reason, I cannot seem to NAT HTTP traffic. On the Ubuntu gateway itself, HTTP access works as expected - no problems. From the "client" system, a simple cURL request just hangs. A tcpdump of the traffic shows that it does seem to be reaching the remote server on the VPN (and I see a "hit" in the Apache logs), but nothing much happens after that. If anyone has any ideas how I should start to troubleshoot this, I'd very much appreciate it! Here's the simple tcpdump output from the client behind the openconnect "gateway" : 09:31:05.385701 IP (tos 0x0, ttl 64, id 26318, offset 0, flags [DF], proto TCP (6), length 60) 192.168.16.210.40521 > 10.132.112.16.http: Flags [S], cksum 0xce27 (correct), seq 213837445, win 5840, options [mss 1460,sackOK,TS val 80838731 ecr 0,nop,wscale 7], length 0 09:31:05.804517 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.132.112.16.http > 192.168.16.210.40521: Flags [S.], cksum 0x7672 (correct), seq 1719559033, ack 213837446, win 5792, options [mss 1380,sackOK,TS val 940529181 ecr 80838731,nop,wscale 7], length 0 09:31:05.804542 IP (tos 0x0, ttl 64, id 26319, offset 0, flags [DF], proto TCP (6), length 52) 192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xb9be (correct), seq 1, ack 1, win 46, options [nop,nop,TS val 80839149 ecr 940529181], length 0 09:31:05.804639 IP (tos 0x0, ttl 64, id 26320, offset 0, flags [DF], proto TCP (6), length 221) 192.168.16.210.40521 > 10.132.112.16.http: Flags [P.], cksum 0x4cde (incorrect -> 0x86a4), seq 1:170, ack 1, win 46, options [nop,nop,TS val 80839150 ecr 940529181], length 169 09:31:06.582903 IP (tos 0x0, ttl 50, id 35919, offset 0, flags [DF], proto TCP (6), length 52) 10.132.112.16.http > 192.168.16.210.40521: Flags [.], cksum 0xb609 (correct), seq 1, ack 170, win 54, options [nop,nop,TS val 940529952 ecr 80839150], length 0 09:31:06.584539 IP (tos 0x0, ttl 50, id 35923, offset 0, flags [DF], proto TCP (6), length 1188) 10.132.112.16.http > 192.168.16.210.40521: Flags [FP.], cksum 0x04c7 (correct), seq 4105:5241, ack 170, win 54, options [nop,nop,TS val 940529953 ecr 80839150], length 1136 09:31:06.584550 IP (tos 0x0, ttl 64, id 26321, offset 0, flags [DF], proto TCP (6), length 64) 192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xc47c (correct), seq 170, ack 1, win 46, options [nop,nop,TS val 80839929 ecr 940529952,nop,nop,sack 1 {4105:5242}], length 0 09:31:21.589638 IP (tos 0x0, ttl 64, id 4969, offset 0, flags [DF], proto TCP (6), length 64) 192.168.16.210.58192 > 10.132.112.16.http: Flags [F.], cksum 0x06d7 (correct), seq 2265467025, ack 1690888712, win 46, options [nop,nop,TS val 80854935 ecr 940387564,nop,nop,sack 1 {4105:5242}], length 0 And here are the parameters I am passing to openconnect : --no-dtls --disable-ipv6 --no-cert-check --passwd-on-stdin Many thanks in advance, -Mark