I have a very specific problem, building a Linux VPN endpoint (with external VPN Gateway), which should route certain networks over the tunnel, others via default gateway.
The Linux VPN should do a NAT on the outgoing connections for the VPN peers.

Setup is as following:
Internet gateway LAN  192.168.25.1/24
VPN Gateway LAN 10.45.99.2/24 
(VPN tunnel 10.45.99.1 to net 87.115.17.40/29, separate connection to Internet)

Linux VPN Router
   eth0   192.168.25.71/24
   eth0:503 10.45.99.1/24
     Default 192.168.25.1
     route to 87.115.17.40/29 via 10.45.99.2
     (send_redirects disabled, ip_forward enabled)
Linux clients (multiple):
   eth0   192.168.25.x/24
   Default 192.168.25.1
   route to 87.115.17.40/29 via 192.168.25.71

Ping to the machines via tunnel from the VPN Router is working.

Now I want to establish a routing from my clients over the VPN gateway and the client packet gets routed to 192.168.25.1 ! traceroute output shows the packets get routed to 192.168.25.71, but then to 192.168.25.1.

So the route is not respected in forward !

IPTables and Routing:

ip route show
87.115.17.40/29 via 10.45.99.2 dev eth0 
10.45.99.0/24 dev eth0  proto kernel  scope link  src 10.45.99.1 
192.168.25.0/24 dev eth0  proto kernel  scope link  src 192.168.25.71 
default via 192.168.25.1 dev eth0 

iptables -A INPUT -i eth0:503 -j REJECT
iptables -t nat -A POSTROUTING -o eth0:503 -j MASQUERADE
iptables -A FORWARD -i eth0:503 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.25.0/24 -o eth0:503 -j ACCEPT

So what is wrong with my setup ? The route is chosen correctly from localhost, but all the clients get forwarded to the Internet GW.

thanks for helping, Marcus