> I did find a way to test it and the reverse masquerading WORKED! > ( which I think is cute as hell and solves a major problem of multiple > routes to the internet. ) > > With one problem. > > When the ipsec connection is made, ipsec INSERTS rules into the > forward chain. They appear BEFORE the MASQ rules. These rules > put in ACCEPTS for destinations to the vpn clients. > > Clever fellows, made sure any reverse traffic would be accepted. > Problem is they superceded my MASQ rules. No NAT, the packet can't > get back into ipsec. > > If I rerun my firewall script after the connection is established, > destroying > their rules, MASQ happens again and I can communicate fine. > > If they had ADDED those rules rather than INSERTING them, I believe all > would be well. > You don't happen to know of an option which overrides this behaviour? > > I can't think of a clever way to watch for this situation and override it > that would be timely without being burdensome.
This is done by the _updown script. You can either customize the _updown script, or use [left|right]firewall=no in your ipsec.conf file, which will also prevent holes from being automatically created for the protocol 50 traffic, so you'll have to explicitly allow that as well. IPSec scripts are in /usr/local/lib/ipsec IIRC... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user