Hi everyone, I wrote up a post on the FreeBSD forums about the issue I am having. It's rather long so I am providing a link to it here: http://forums.freebsd.org/showthread.php?t=39595
In summary, it seems that when the packets are routed in to the gateway from local network hosts, the src and dst addresses are changed to the public IPs of the tunnel -- at least from the perspective of the ipsec stack. This is breaking the ESP encryption in certain cases. I found a workaround, and while the workaround is fine for scenarios where I control both endpoints, I am trying to integrate a remote endpoint (i.e. Cisco ASA) where I cannot get them to implement an equivalent workaround on their end. Does anyone have any ideas that might help me get ipsec to properly match off of the private src and dst addresses? (I apologize in advance if I'm breaking a mailing list rule by pointing you all to the forum URL -- I'm somewhat new to the list). Thanks, Daniel