IPSEC conenction established.
Added green0:4 adapter with IP from left side of tunnel.
CUSTOMPREORUTING WITH DNAT OK.
CUSTOMPOSTROUING WITH SNAT NOT OK nothing arrives because of:
iptables -S IPSECBLOCK
Then removal of some rules from there:
iptables -D IPSECBLOCK -d subnet -j REJECT --reject-with icmp-net-unreachable
of coliding rules.
Is this by design?