I already tried a lot of things but didn’t solve the problem:
Roadwarrior Clients (OpenVPN) should be masqueraded with an internal address to access some external (IPSEC Tunnel) sites, the Roadwarrior network can’t be included in these IPSEC tunnels.
So a client R.R.R.100 willing to access F.F.F.1 should be source natted coming from V.V.V.254.
action=masquerade is a special case of action=src-nat which differs from it in two aspects:
it inherits the new source address from the out-interface through which the packet would leave according to the first pass through routing (the actual out-interface may change due to mangle rules assigning a routing-mark and thus spawning a new pass through routing, or due to IPsec policy matching the packet and diverting it through the SA)
it makes the connection be automatically deleted if the original out-interface goes down or gets a different address (by DHCP)
So you can either use action=src-nat to-addresses=the.address.you.want instead of action=masquerade, or you can create a route via vlan1, or via some bridge with no ports, for the destinations towards which you need the traffic to be src-nated, as an exception from the default route. Then, you’d assign the IP address you want to use as source one to that interface, and keep using your action=masquerade rule referring to that out-interface.
