Hi, Thank you for your great explanations of IPSEC and IPNAT concepts. That helped me a lot to understand. But now, I think I am doing something wrong in my implementation. Maybe I am not using those services correctly : LAN1 +=+ FW1 +=+ ----- INTERNET ----- +=+ FW2 +=+ LAN2 LAN1 = 10.1.0.0/16 (NAT 10.1.0.0/16 to external IP/32) LAN2 = 10.2.0.0/16 (NAT 10.2.0.0/16 to external IP/32) The IPSEC tunnel is created and is working. On the FW console, I can ping the internal interface's IP on the other LAN on both sides. FROM LAN1 If I ping 10.2.1.1, the FW1 does NAT to my internal (source) IP. I can't get into the SA. NAT seems to happen before the FW's routing. But, if I ping a host in the firewall's DMZ (on the LAN1 side), see: My PC : 10.1.2.1/24 My DEST: 10.1.100.2/30 My route (for the DMZ) : -net 10.1.100.0 netmask 255.255.255.0 gw 10.1.1.1 (FW's internal IP) It works. The routing happens before the NAT (?). Again with IPSEC : My PC : 10.1.2.1/24 My DEST: 10.2.1.1/24 My route (for the VPN): -net 10.2.0.0 netmask 255.255.0.0 gw 10.1.1.1 (FW's internal IP) It doesn't work. NAT happens before routing so I get an ICMP dest unreach from the router. The kernel doesn't route into the SA. Am I doing something wrong? The only routes I have for the VPN are "ipsecadm flow" routes. I can connect fine from firewall to firewall, I get encrypted, but from LAN to LAN, I get a problem, a NAT problem I think. Thank you. --- Jean-Francois Grenier Comact Optimisation [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
