iptables -A FORWARD -p esp -j ACCEPT
iptables -A FORWARD -p ah -j ACCEPT
iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT

You may wish to add some -s and/or -d source & destination address
restrictions on the above rules, eg:

iptables -A FORWARD -p esp -s a.b.c.d -d w.x.y.z -j ACCEPT
iptables -A FORWARD -p esp -s w.x.y.z -d a.b.c.d -j ACCEPT

where a.b.c.d and w.x.y.z are the two IPsec gateways which need to
communicate.

Antony.
--
This email is intended for the use of the individual addressee(s) named above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.

If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40
minutes.   Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream.   Then notify me immediately by return email
and eat the original message.

Just to muddy the waters, through experimentation, I have found that using
Checkpoint SecuRemote (on windows) behind a Linux netfilter firewall, I can
achieve an IPSEC connection using just:

iptables -A FORWARD -s $INTERNAL_NET -j ACCEPT
iptables -A FORWARD -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED \
-j ACCEPT

I.e. explicit per-protocol forwarding seems unnecessary. (Though you might
want to be explicit for security/control reasons.) [Note, no UDP
encapsulation, either]

I do experience weird time-outs occasionally, apparently connected to
incoming IKE packets (UDP port 500) that aren't recognized as connected,
but I can get around this by just accepting them to the firewall, which
does nothing as there is nothing running on that port. (I'm trying
variations of reject/drop to see if there is a better way to reply.)

Regards,
David