Hi Charles, Thanks, leftfirewall=yes lets me ping a machine on the other subnet now. I think I added a few too many extra ipchains rules, but now that it is working I can back off on them. - Jon
Charles Steinkuehler wrote: > > > > Look at your local routing setup (ip route or netstat -nr). Make sure > there > > > is a route directing packets destined for the far end of the VPN to the > > > ipsec device. > > > > Ok, so what you are saying is that on the ipsec router, I should > > associate the external private subnet with device ipsec0, ie > > > > route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 > > > > That is, don't forward the external private subnet to the external IP or > > the external device, but ipsec0. > > I think from this I also need to turn on bidirectional IP forwarding > > (ipchains) between masq'ed subnets. I had turned this on before, but I > > don't think the previous "route add" statement is set. Doing this from > > 30 miles away makes it a bit harder. > > You *DO* have to add firewall rules to allow the packets to be forwarded, > and the IPSec traffic to get in/out of the box. You should *NOT* have to > directly play with any routing...the FreeS/WAN scripts should set all the > routing up when the connections get built. > > NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry > about the firewall rules either... > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user