Shorewall rejects traffic when being forwarded on a single public interface

I am trying to do a similar exercise to shorewall FAQ 2a but with public IP addresses. I have traffic that I am trying to route via an IPSEC connection but once I turn on shorewall I get the following

:FORWARD:REJECT:IN=eth1 OUT=eth1 MAC=52:54:00:90:e3:a9:00:25:90:ae:0a:c3:08:00 SRC=196.38.X.X DST=196.11.X.X LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=54294 DF PROTO=TCP SPT=50594 DPT=35101 WINDOW=27200 RES=0x00 SYN URGP=0

Routeback is enabled and net net traffic is set to accept in the policy Any ideas how to sort this out? Routing etc is perfect when shorewall is disabled. Edit below. I've added the config. It turns out that it works perfectly if I remove

all     REJECT  info

so it may be that my I don't have the correct rule defined to match the traffic. /etc/shorewall/rules

net:196.38.YY.XX       vpn   tcp 35101
ACCEPT                  net:196.38.YY.XX       net:196.11.YY.XX       tcp 35101

/etc/shorewall/tunnels

net	a.b.c.d

/etc/shorewall/policy

$FW     all     ACCEPT
net     all     DROP    info 
vpn   all     ACCEPT  info
all     vpn   ACCEPT  info
all     all     REJECT  info

/etc/shorewall/zones

ipv4

/etc/shorewall/hosts

eth1:a.b.c.d              ipsec

/etc/shorewall/interfaces

eth1            detect          tcpflags,nosmurfs,routeback