On Thu, 21 Jan 2010, Zhiping Liu wrote: > > Thanks Paul. > As you mentioned,I just find out iptables have a ipsec policy module,insert this rule: > iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT > before anything in nat postrouting. Shouldn't that be RETURN instead of ACCEPT? Perhaps the result is the same. Paul