diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 9f028f889..3e7ccc889 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -681,4 +681,65 @@ ipip vpn 0.0.0.0/0
+
+
+ Using SNAT to Force Traffic over an IPSEC Tunnel
+
+ Cases can arise where you need to use an IPSEC tunnel to access a
+ remote network, but you have no control over the associated security
+ polices. In such cases, the resulting tunnel is accessible from your
+ firewall but not from your local networks.
+
+ Let's take an example:
+
+
+
+ Remote gateway 192.0.2.26
+
+
+
+ Remote subnet 172.22.4.0/24
+
+
+
+ Your public IP address is 192.0.2.199
+
+
+
+ Your Internet-facing interface is eth0
+
+
+
+ Your local network is 192.168.219.0/24
+
+
+
+ You want to access 172.22.4.0/24 from 192.168.219.0/24
+
+
+
+ You need to configure as follows.
+
+ /etc/shorewall/zones:
+
+ #ZONE TYPE OPTIONS
+...
+vpn ip # Note that the zone cannot be declared as type ipsec
+...
+
+ /etc/shorewall/hosts:
+
+ #ZONE HOSTS OPTIONS
+vpn eth0:172.22.4.0/24 mss=1380,destonly
+vpn eth0:0.0.0.0/0 mss=1380,ipsec
+
+ /etc/shorewall/snat:
+
+ SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24
+
+ /etc/shorewall/tunnels:
+
+ #TYPE ZONE GATEWAY GATEWAY_ZONE
+ipsec net 192.0.2.26 vpn
+