> Below are my routes on both left and right sides. Charles, if you can > confirm them correct, I think there must be some rule on my left-side > denying packets destined for 192.168.1 even reach left-side eth0. > > I accidentally found this in one old log: > > Apr 23 19:14:06 router kernel: Packet log: input DENY eth0 PROTO=1 > 192.168.1.2:3 24.83.28.213:3 L=56 S=0x00 I=36609 F=0x0000 T=109 (#10) > > But I must say that I do not know if ipsec was run at that time > And the rule 10 in input chain is: > > 10 0 0 DENY all ----l- 0xFF 0x00 eth0 > 192.168.0.0/16 0.0.0.0/0 n/
The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. > On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) > > # ip route > 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 > 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 > 192.168.1.0/24 via 24.83.28.1 dev ipsec0 > 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 > 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 > 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 > default via 24.83.28.1 dev eth0 > > > and right side (internal 192.168.1, wants to talk to 192.168.9 via > ipsec): > > # ip route > 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 > 192.168.9.0/24 via 24.76.92.1 dev ipsec0 > 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 > 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 > default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user