diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec	2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec	2016-03-22 18:24:42.670000613 +0100
@@ -1,9 +1,16 @@
+# Required PostRouting for VPN
+
 {
-    my $ipsec_access = $ipsec{access};
+    my $ipsec_status = $ipsec{status} || '';
+
+#   print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
 
-    if ( $ipsec_access eq 'public' ) {
+    if ( $ipsec_status eq 'enabled' ) {
         $OUT .= "  # Do not NAT VPN traffic\n";
-        $OUT .=
-"  /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
+        $OUT .= "  /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
+    }
+
+    else {
+        $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
     }
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP	2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP	2016-03-22 18:24:42.670000613 +0100
@@ -1,14 +1,18 @@
 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
 
 {
-my $ipsec_access = $ipsec{access};
+    my $ipsec_status = $ipsec{status} || '';
 
-if ($ipsec_access eq 'public')  {
+#    print "Ipsec Information - 56AllowESP - $ipsec_status\n";
 
-  $OUT .= "    /sbin/iptables --new-chain esp-in\n";
-  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j esp-in\n";
-  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j denylog\n";
-  $OUT .= "    /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
-  $OUT .= "    /sbin/iptables --append esp-in -j denylog\n";
- }
+    if ( $ipsec_status eq 'enabled' ) {
+        $OUT .= "    /sbin/iptables --new-chain esp-in\n";
+        $OUT .= "    /sbin/iptables --append INPUT -p ESP -j esp-in\n";
+        $OUT .= "    /sbin/iptables --append INPUT -p ESP -j denylog\n";
+        $OUT .= "    /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
+        $OUT .= "    /sbin/iptables --append esp-in -j denylog\n";
+    }
+    else {
+        $OUT .= " # 56AllowESP disabled\n";
+    }
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP	2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP	2016-03-22 18:24:42.670000613 +0100
@@ -1,12 +1,16 @@
 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
+
 {
-    my $ipsec_access = $ipsec{access};
-    my $ipsec_status = $ipsec{status};
-        if ( $ipsec_access eq 'public' ) {
-        
-        my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
+    my $ipsec_status = $ipsec{status} || '';
+
+#    print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
 
+    if ( $ipsec_status eq 'enabled' ) {
+        my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
         $OUT .= "    /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
         $OUT .= "    /sbin/iptables --replace esp-in 2 -j $target\n";
     }
+    else {
+        $OUT .= " # 90adjustESP disabled\n";
+    }
 }