Hi
I do have a policy, I have been logging it all since the befining, noting has been caught in it.
The route 95 is the route back out to the net again where the packet came from.
2.2.2.1 is the SSG Untrust (ethernet0/0) gateway.
I have added the config lines of the VIP config and the policy for the VIP.
set interface ethernet0/0 vip interface-ip 20409 "OpenVPN" 10.238.135.227 manual
set policy id 71 from "Untrust" to "DMZ" "Any" "VIP(ethernet0/0)" "UDP_20409" permit log
set policy id 71
exit