--- strongswan-5.7.0/src/_updown/_updown.in.bak	2019-02-06 18:19:25.723893992 +0000
+++ strongswan-5.7.0/src/_updown/_updown.in	2019-02-06 18:28:21.520560665 +0000
@@ -130,6 +130,13 @@
 #              address family.
 #
 
+VARS=(
+	id status name lefthost type ctype psk local local_id leftsubnets
+	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+	route x23 mode interface_mode interface_address interface_mtu rest
+)
+
 function ip_encode() {
 	local IFS=.
 
@@ -319,6 +326,13 @@
 	fi
 	;;
 up-client:iptables)
+	# Read IPsec configuration
+	while IFS="," read -r "${VARS[@]}"; do
+		if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+			break
+		fi
+	done < /var/ipfire/vpn/config
+
 	# connection to client subnet, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -383,23 +397,25 @@
 	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
 	fi
 
-	# Add source nat so also the gateway can access the other nets
-	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-		if [ $? -eq 0 ]; then
-			src=${_src}
-			break
+	if [ -z "${interface_mode}" ]; then
+		# Add source nat so also the gateway can access the other nets
+		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+		for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+			ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+			if [ $? -eq 0 ]; then
+				src=${_src}
+				break
+			fi
+		done
+
+		if [ -n "${src}" ]; then
+			iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+			logger -t $TAG -p $FAC_PRIO \
+				"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+		else
+			logger -t $TAG -p $FAC_PRIO \
+				"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
 		fi
-	done
-
-	if [ -n "${src}" ]; then
-		iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-		logger -t $TAG -p $FAC_PRIO \
-			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-	else
-		logger -t $TAG -p $FAC_PRIO \
-			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
 	fi
 
 	# Flush routing cache