Michael Richardson wrote: > There are people who want to do NAT going into the tunnel, which it is > my understanding can not be done, because POSTROUTING is run after the > tunnel encapsulation. Nope. Problem is that all traffic is SNAT:ed. because packet goes via POSTROUTING first without ipsec and then encapsulated. And first time it gets SNAT:ed.