diff --git a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
index f5fc39c917d..6914c8e6f91 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
@@ -211,7 +211,7 @@ class CsNetfilter(object):
         # Order is important 
         order = ['-A', '-s', '-d', '!_-d', '-i', '!_-i', '-p', '-m', '-m2', '--icmp-type', '--state', 
                 '--dport', '--destination-port', '-o', '!_-o', '-j', '--set-xmark', '--checksum',
-                 '--to-source', '--to-destination']
+                 '--to-source', '--to-destination', '--mark' ]
         str = ''
         for k in order:
             if k in self.rule.keys():
@@ -229,13 +229,21 @@ class CsNetfilter(object):
     def __eq__(self, rule):
         if rule.get_table() != self.get_table():
             return False
+        #if '-j' in self.get_rule().keys() and self.get_rule()['-j'] == "MARK" and self.get_rule()['--set-xmark'] == '0x524/0xffffffff' and \
+                #'-j' in rule.get_rule().keys() and rule.get_rule()['-j'] == "MARK" and rule.get_rule()['--set-xmark'] == '0x524/0xffffffff':
+            #pprint(self.get_rule())
+            #pprint(rule.get_rule())
+            #pprint(self.get_chain())
+            #pprint(rule.get_chain())
         if rule.get_chain() != self.get_chain():
             return False
         if len(rule.get_rule().items()) != len(self.get_rule().items()):
             return False
-        #if '--checksum' in self.get_rule().keys() and self.get_rule()['--checksum'] == "fill":
-            #pprint(self.get_rule())
         common = set(rule.get_rule().items()) & set(self.get_rule().items())
+        #if '-j' in self.get_rule().keys() and self.get_rule()['-j'] == "MARK" and self.get_rule()['--set-xmark'] == '0x524/0xffffffff':
+            #pprint(self.get_rule())
+            #pprint(rule.get_rule())
+            #pprint(common)
         if len(common) != len(rule.get_rule()):
             return False
         return True
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 84efe2833c0..99b44f0b6f3 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -802,8 +802,8 @@ class CsAddress(CsDataBag):
             # Only relevant if there is a VPN configured so will have to move
             # at some stage
             fw.append(["mangle", "", "-A FORWARD -j VPN_STATS_%s" % dev])
-            fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --mark 0x525/0xffffffff" % (dev, dev)])
-            fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --mark 0x524/0xffffffff" % (dev, dev)])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --set-xmark 0x525/0xffffffff" % (dev, dev)])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --set-xmark 0x524/0xffffffff" % (dev, dev)])
 
 class CsSite2SiteVpn(CsDataBag):
     """
@@ -850,13 +850,13 @@ class CsSite2SiteVpn(CsDataBag):
     def configure_iptables(self, dev, obj):
         fw.append([ "", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -j ACCEPT" % dev ])
         fw.append([ "", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -j ACCEPT" % dev ])
-        fw.append([ "", "front", "-A INPUT -i %s -p 50 -j ACCEPT" % dev ])
-        fw.append([ "", "front", "-t nat -I POSTROUTING -t nat -o %s-m mark --mark 0x525/0xffffffff -j ACCEPT" % dev ])
+        fw.append([ "", "front", "-A INPUT -i %s -p esp -j ACCEPT" % dev ])
+        fw.append([ "nat", "front", "-A POSTROUTING -t nat -o %s-m mark --set-xmark 0x525/0xffffffff -j ACCEPT" % dev ])
         for net in obj['peer_guest_cidr_list'].lstrip().rstrip().split(','):
-            fw.append([ "mangle", "front", "-I FORWARD -t mangle -s %s -d %s -j MARK --set-mark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
-            fw.append([ "mangle", "", "-A OUTPUT -s %s -d %s -j MARK --set-mark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
-            fw.append([ "mangle", "front", "-I FORWARD -s %s -d %s -j MARK --set-mark 0x524/0xffffffff" % (net, obj['local_guest_cidr'])])
-            fw.append([ "mangle", "", "-A INPUT -s %s -d %s -j MARK --set-mark 0x524/0xffffffff"  % (net, obj['local_guest_cidr']) ])
+            fw.append([ "mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
+            fw.append([ "mangle", "", "-A OUTPUT -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
+            fw.append([ "mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x524/0xffffffff" % (net, obj['local_guest_cidr'])])
+            fw.append([ "mangle", "", "-A INPUT -s %s -d %s -j MARK --set-xmark 0x524/0xffffffff"  % (net, obj['local_guest_cidr']) ])
 
     def configure_ipsec(self, obj):
         leftpeer  = obj['local_public_ip']