For those who use ipmap and masq rules in the same system, it is required that you enter your ipmap rules before the global 'masquerade' masq rule, or some services might not function as the outbound packet from you customer will hit the masq rule, and therefore leave the system with the IP of your server, and not their assigned ipmap'd one.

If your customers are having trouble establishing VPN connections, this may be the one of the primary causes.

The script example shows the masq rule before the ipmap, which is incorrect for proper operation.

Thanks!