<HTML><BODY>Minor update:<br><br>The "magic" rules on the server Sa should include the following before the DNAT rule:<br>iptables -t nat -A PREROUTING -s $CLIENT_PUBLIC_IP -d $SERV_PRIVATE_IP -j ACCEPT<br>iptables -t nat -A PREROUTING -s $CLIENT_PRIVATE_IP -d $SERV_PRIVATE_IP -j ACCEPT<br>(I do have this, just omitted in the OP for simplicity)<br><br>The client address on the diagram should read .1.23 (I have several clients and forgot to update in the OP..)<br><br>Again, "it basically works". No problem connecting, etc. I can see ipsec flying thru I1 (with tcpdump). So I don't include any logs - they look good.<br><br>Am I right that this thing is related to (a rather terrifying) topic of fragmentation?<br></BODY></HTML>