Weird Ipsec behavior

I am running into something interesting which I am not able to explain well. I brought up a simple Ubuntu 20.04 box and attempting to protect all traffic via an IPSec tunnel. I am not using VTI or xfrm interface and simply negotiating 0.0.0.0 as TS each end. Without Ipsec tunnel, everything works fine. Now when I initiate the tunnel, tunnels comes up fine. Now when I run iperf TCP test, it works fine. Packets flow over tunnel, come back and hit the application and I get expected throughput. When I run ping test, they work well as well. The problem is WebTraffic. When I do wget or try using a browser, I see traffic flowing well and coming back to my Ubuntu 20 node, however it never reaches the application. So wget never sees the replies, however TCP connection as expected gets ESTAB and in wireshark I do see the replies both over Tunnel and post decryption. But for inexplicable reason, its only when I try with web traffic that I notice that the traffic is not reaching the intended application. Any clue. My Ipsec config isn't anything interesting vtewari@vtewari-ububtu:~$ sudo swanctl --list-sas [sudo] password for vtewari: tenant-13543-1010: #9, ESTABLISHED, IKEv2, 43319062223514a3_i* 2927ffc3801b0fa2_r local 'vtewari-bom2@vtewari.com' @ 10.0.2.15 remote 'vtewari-remote' @ vtewari-remote AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 established 2622s ago, reauth in 24647s tenant-13543-1010: #13, reqid 11, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96 installed 2623s ago, rekeying in 68598s, expires in 69378s in c6fce0ab, 600 bytes, 7 packets, 381s ago out c13ce846, 127082 bytes, 96 packets, 381s ago local 0.0.0.0/0 remote 0.0.0.0/0 vtewari@vtewari-ububtu:~$ sudo swanctl --list-conns tenant-13543-1010: IKEv2, reauthentication every 215460s, no rekeying local: %any remote: vtewari-remote local pre-shared key authentication: id: vtewari-bom2@vtewari.com remote pre-shared key authentication: tenant-13543-1010: TUNNEL, rekeying every 71460s local: 0.0.0.0/0 remote: 0.0.0.0/0 Ping/Iperf successful test over tunnel vtewari@vtewari-ububtu:~$ iperf3 -c paris.testdebit.info -p 9237 -R Connecting to host paris.testdebit.info, port 9237 Reverse mode, remote host paris.testdebit.info is sending [ 5] local 10.0.2.15 port 33296 connected to 89.84.1.194 port 9237 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 37.1 KBytes 304 Kbits/sec [ 5] 1.00-2.00 sec 102 KBytes 830 Kbits/sec ^C[ 5] 2.00-2.54 sec 131 KBytes 2.01 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-2.54 sec 0.00 Bytes 0.00 bits/sec sender [ 5] 0.00-2.54 sec 270 KBytes 871 Kbits/sec receiver iperf3: interrupt - the client has terminated However though TCP gets connected, wget never sees the response vtewari@vtewari-ububtu:~$ wget http://google.com --verbose -O index.html --2022-06-05 15:10:00-- http://google.com/ Resolving google.com (google.com)... 142.250.77.46, 2404:6800:4009:81c::200e Connecting to google.com (google.com)|142.250.77.46|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.google.com/ [following] --2022-06-05 15:10:01-- http://www.google.com/ Resolving www.google.com (www.google.com)... 142.251.42.4, 2404:6800:4009:82f::2004 Connecting to www.google.com (www.google.com)|142.251.42.4|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ ] 0 --.-KB/s I see the same with browser as well. If I disable tunnel, everything is fine. When I enable the tunnel, browser fails to reach servers. Thank you for your insights into this.