Minor update: The "magic" rules on the server Sa should include the following before the DNAT rule: iptables -t nat -A PREROUTING -s $CLIENT_PUBLIC_IP -d $SERV_PRIVATE_IP -j ACCEPT iptables -t nat -A PREROUTING -s $CLIENT_PRIVATE_IP -d $SERV_PRIVATE_IP -j ACCEPT (I do have this, just omitted in the OP for simplicity)
The client address on the diagram should read .1.23 (I have several clients and forgot to update in the OP..) Again, "it basically works". No problem connecting, etc. I can see ipsec flying thru I1 (with tcpdump). So I don't include any logs - they look good. Am I right that this thing is related to (a rather terrifying) topic of fragmentation?
