thanks for the reply
I finally got it running, it happened to be an error in the masq file. I masqued to ipsec0 instead of eth0. Tom has done a great job to document shorewall, now either I am not attentive enough to translate all this into a sensible configuration and thus stumble on all those gotchas or it really is still somewhat complex.
My set up is probably not what you would call standard but with wireless being more and more frequent configurations like mine may pop up from time to time, so it might be interesting for others to have an example. I might try to document this.
Erich
At 20:11 16.02.2003 -0600, you wrote:
On Sunday 16 February 2003 04:47 pm, Erich Titl wrote:OK, ipsec0 is listening on eth1 (valleygate), correct? After ipsec0 receives and un-encrypts the packets, the true ip information is also unwrapped and interpreted as the actual 192.168.20.0 address that the package was sent from. If this did not hold true, your "mountaingate" LAN client could never receive a reponse from the "valleygate" subnet. I imagine that treating the "mountaingate" subnet as a local network on "valleygate" via ipsec0 in Shorewall will likely solve your problem. This would also allow the "wireless" link to remain encrypted.
THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html