Hi Charles,
        Thanks, leftfirewall=yes lets me ping a machine on the other subnet
now.  I think I added a few too many extra ipchains rules, but now that
it is working I can back off on them.
        - Jon

Charles Steinkuehler wrote:
> 
> > > Look at your local routing setup (ip route or netstat -nr).  Make sure
> there
> > > is a route directing packets destined for the far end of the VPN to the
> > > ipsec device.
> >
> > Ok, so what you are saying is that on the ipsec router, I should
> > associate the external private subnet with device ipsec0, ie
> >
> > route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0
> >
> > That is, don't forward the external private subnet to the external IP or
> > the external device, but ipsec0.
> > I think from this I also need to turn on bidirectional IP forwarding
> > (ipchains) between masq'ed subnets.  I had turned this on before, but I
> > don't think the previous "route add" statement is set.  Doing this from
> > 30 miles away makes it a bit harder.
> 
> You *DO* have to add firewall rules to allow the packets to be forwarded,
> and the IPSec traffic to get in/out of the box.  You should *NOT* have to
> directly play with any routing...the FreeS/WAN scripts should set all the
> routing up when the connections get built.
> 
> NOTE:  If you have [left|right]firewall=yes, you shouldn't have to worry
> about the firewall rules either...
> 
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to