Hi everyone, I wrote up a post on the FreeBSD forums about the issue I am having. It's rather long so I am providing a link to it here: http://forums.freebsd.org/showthread.php?t=39595 In summary, it seems that when the packets are routed in to the gateway from local network hosts, the src and dst addresses are changed to the public IPs of the tunnel -- at least from the perspective of the ipsec stack. This is breaking the ESP encryption in certain cases. I found a workaround, but it is not what is documented in the handbook. In short, if you setup a vpn per the FreeBSD Handbook article that I mention in my post, you are left with a most-insecure vpn which you believe is secure. Traffic is only secure *between* the two gateways, but *not* between hosts behind those gateways (i.e. private hosts at either site). (I apologize in advance if I'm breaking a mailing list rule by pointing you all to the forum URL -- I'm somewhat new to the list). Thanks, Daniel _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"