diff --git a/lfs/strongswan b/lfs/strongswan
index 4174f78fe..714537e36 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
 
 	cd $(DIR_APP) && ./configure \
 		--prefix="/usr" \
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
new file mode 100644
index 000000000..91c76212e
--- /dev/null
+++ b/src/patches/strongswan-ipfire-revert.patch
@@ -0,0 +1,113 @@
+--- strongswan-5.7.2/src/_updown/_updown.in.bak	2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in	2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ #              address family.
+ #
+ 
+-VARS=(
+-	id status name lefthost type ctype psk local local_id leftsubnets
+-	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+-	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+-	route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+-	local IFS=.
+-
+-	local int=0
+-	for field in $1; do
+-		int=$(( $(( $int << 8 )) | $field ))
+-	done
+-
+-	echo $int
+-}
+-
+-function ip_in_subnet() {
+-	local netmask
+-	netmask=$(_netmask $2)
+-	[ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+-	local vlsm
+-	vlsm=${1#*/}
+-	[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ 	fi
+ 	;;
+ up-client:iptables)
+-	# Read IPsec configuration
+-	while IFS="," read -r "${VARS[@]}"; do
+-		if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+-			break
+-		fi
+-	done < /var/ipfire/vpn/config
+-
+ 	# connection to client subnet, with (left/right)firewall=yes, coming up
+ 	# This is used only by the default updown script, not by your custom
+ 	# ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ 	    logger -t $TAG -p $FAC_PRIO \
+ 	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ 	fi
+-
+-	if [ -z "${interface_mode}" ]; then
+-		# Add source nat so also the gateway can access the other nets
+-		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-		for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-			ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-			if [ $? -eq 0 ]; then
+-				src=${_src}
+-				break
+-			fi
+-		done
+-
+-		if [ -n "${src}" ]; then
+-			iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-			logger -t $TAG -p $FAC_PRIO \
+-				"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-		else
+-			logger -t $TAG -p $FAC_PRIO \
+-				"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+-		fi
+-	fi
+-
+-	# Flush routing cache
+-	ip route flush cache
+ 	;;
+ down-client:iptables)
+ 	# connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ 	    logger -t $TAG -p $FAC_PRIO \
+ 	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ 	fi
+-
+-	# remove source nat
+-	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-		if [ $? -eq 0 ]; then
+-			src=${_src}
+-			break
+-		fi
+-	done
+-
+-	if [ -n "${src}" ]; then
+-		iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-		logger -t $TAG -p $FAC_PRIO \
+-			"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-	else
+-		logger -t $TAG -p $FAC_PRIO \
+-			"Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+-	fi
+-
+-	# Flush routing cache
+-	ip route flush cache
+ 	;;
+ #
+ # IPv6
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index cb55fdf79..2546f8927 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -23,9 +23,19 @@ shopt -s nullglob
 
 VPN_CONFIG="/var/ipfire/vpn/config"
 
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
 
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+	RED_INTF="$(</var/ipfire/red/iface)"
+else
+	RED_INTF="red0"
+fi
+
 VARS=(
 	id status name lefthost type ctype psk local local_id leftsubnets
 	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
@@ -43,6 +53,52 @@ resolve_hostname() {
 	dig +short A "${hostname}" | tail -n1
 }
 
+ip_encode() {
+	local address="${1}"
+
+	local int=0
+	for field in ${address//./ }; do
+		int=$(( $(( ${int} << 8 )) | ${field} ))
+	done
+
+	echo ${int}
+}
+
+function ip_in_subnet() {
+	local address="${1}"
+	local subnet="${2}"
+
+	local netmask="${subnet#*/}"
+
+	# Convert netmask to prefix if necessary
+	case "${netmask}" in
+		[0-9]+)
+			;;
+		*)
+			netmask="$(netmask2prefix "${netmask}")"
+			;;
+	esac
+
+	local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+	[ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+	local netmask="${1}"
+	local mask="$(ip_encode "${netmask}")"
+
+	local cidr=0
+	local x="$(( 128 << 24 ))" # 0x80000000
+
+	while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+		[ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+		cidr=$(( ${cidr} + 1 ))
+	done
+
+	echo "${cidr}"
+}
+
 main() {
 	# Register local variables
 	local "${VARS[@]}"
@@ -50,8 +106,17 @@ main() {
 
 	local interfaces=()
 
+	# Flush IPsec routes
+	ip route flush table "${ROUTE_TABLE}"
+
+	# Remove lookups
+	ip rule del lookup "${ROUTE_TABLE}"
+
 	# We are done when IPsec is not enabled
 	if [ "${ENABLED}" = "on" ]; then
+		# Enable route table lookup
+		ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
 		while IFS="," read -r "${VARS[@]}"; do
 			# Check if the connection is enabled
 			[ "${status}" = "on" ] || continue
@@ -65,6 +130,38 @@ main() {
 					local intf="${interface_mode}${id}"
 					;;
 				*)
+					# Install routes
+					local address
+
+					local _address
+					for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+						local leftsubnet
+						for leftsubnet in ${leftsubnets//\|/ }; do
+							if ip_in_subnet "${_address}" "${leftsubnet}"; then
+								address="${_address}"
+								break
+							fi
+						done
+
+						# End loop when address is set
+						[ -n "${address}" ] && break
+					done
+
+					local rightsubnet
+					for rightsubnet in ${rightsubnets//\|/ }; do
+						# Ignore default
+						case "${rightsubnet}" in
+							0.0.0.0/*)
+								continue
+								;;
+						esac
+
+						log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+						ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+							dev "${RED_INTF}" src "${address}"
+					done
+
+					# No interface processing required
 					continue
 					;;
 			esac