Hi Charles,
Thanks, leftfirewall=yes lets me ping a machine on the other subnet
now. I think I added a few too many extra ipchains rules, but now that
it is working I can back off on them.
- Jon
Charles Steinkuehler wrote:
>
> > > Look at your local routing setup (ip route or netstat -nr). Make sure
> there
> > > is a route directing packets destined for the far end of the VPN to the
> > > ipsec device.
> >
> > Ok, so what you are saying is that on the ipsec router, I should
> > associate the external private subnet with device ipsec0, ie
> >
> > route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0
> >
> > That is, don't forward the external private subnet to the external IP or
> > the external device, but ipsec0.
> > I think from this I also need to turn on bidirectional IP forwarding
> > (ipchains) between masq'ed subnets. I had turned this on before, but I
> > don't think the previous "route add" statement is set. Doing this from
> > 30 miles away makes it a bit harder.
>
> You *DO* have to add firewall rules to allow the packets to be forwarded,
> and the IPSec traffic to get in/out of the box. You should *NOT* have to
> directly play with any routing...the FreeS/WAN scripts should set all the
> routing up when the connections get built.
>
> NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry
> about the firewall rules either...
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
