Hi Eric, > There are FORWARDing rules in place installed by strongswan for ipsec > for the two respective subnets. Doesn't this already answer your question? > Which chain, if any, would handle filtering th deencapsulated traffic > from the tunnel going out from the gateway to the left subnet? Regards, Tobias