Hi Rudolf, > So, questions are: > 1. What is the best practice to get source NAT to work. Let strongSwan handle it. With the charon IKE daemon the routes are automatically installed when an SA is setup and they are also reinstalled (since 5.0.0) when interfaces/addresses reappear. Regards, Tobias