-----BEGIN PGP SIGNED MESSAGE-----
(Please don't post messages HTML to the lists; it makes it harder to read and
reply to.)
Your db_to_fw tunnel, as listed, won't allow responses from the rest of the
'net reach your database server. It's definitely wrong, and will not allow
you to pass traffic unless you've altered 1.99's packetdefault option, which
isn't visible in your configs.
conn fw_to_db
left=192.168.0.1
leftsubnet=0.0.0.0/0
leftrsasigkey=<snip>
right=192.168.0.110
rightrsasigkey=<snip>
auto=add
authby=rsasig
Copy that config to both machines, and that aspect of your problem should be
solved; replies won't get dropped.
You could still have iptables problems on top of what you've posted, of
course. To help debug your ruleset, use "iptables -L -n -v" twice while your
db server attempts to access an external service down the (newly modified)
tunnel. Diff the output, and you'll flag the rules processing those outbound
packets. Perhaps there's an unanticipated DROP, or your ACCEPT rules don't
this specific case into account?
- --
Sam Sgro
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBP0LG40OSC4btEQUtAQGVnQP8CzqwSSzfRkYSFldqs2Rtv80ucIEmXs9G
X1Fn9Po0eZC+APY8or+GuI/aJLNCBkHJjdcJddJL5m45/+MvNTzbMDyY3XHB2K+t
QOgChlcBwyz7DCApCGK5c2uM8w1c+tMElY3i+GCav86JFN/97/FjGTdMe9LBCIn5
6MX/Q6hDgD4=
=tjlo
-----END PGP SIGNATURE-----
_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
