I have a linux router set up like 10.x.x.A/32 | 203.x.x.B (linux router) | {Internet} | 203.x.x.C (other IPSEC gateway, not sure of brand) | 10.x.x.D/29 And an ipsec tunnel set up with endpoints 203.x.x.B and 203.x.x.C, and the tunnel 10.x.x.A/32 - 10.x.x.D/29 If I ping from D->A, I see the ping reach A, the response reach B on the way back, but is never sent from B->C, either encrypted or not. If I ping from A->D, same thing, the packet is never sent from B->C. I have a route for 10.x.x.D/29 on B pointing towards B's default gateway. I have excluded 10.x.x.D/29 from any nat or mangle transformations in iptables, but still nothing. tcpdump definitely shows no corresponding send from B->C when a packet is sent from A->D. There is no other traffic that would occur from B->C so it's fairly easy to determine that no traffic is being sent. The linux router is debian wheezy, running Debian 3.2.0-4 kernel (3.2.54-2). IKE is being done by racoon, and all appears correct. Setkey appears to show the correct SA's, it's just that nothing gets forwarded towards the other end. Any and all suggestions for fixes appreciated! Thanks James