Hi Charles & MLu
> Look at your local routing setup (ip route or netstat -nr). Make sure there > is a route directing packets destined for the far end of the VPN to the > ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous "route add" statement is set. Doing this from 30 miles away makes it a bit harder. Thanks for your help, Jon > > From: "Jonathan French" <[EMAIL PROTECTED]> > > I'm having similar problems, and have found this thread helpful. I've > > been wondering, do we have to declare the routing on the gateways, or > > shouldn't ipsec handle this? > > FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far > end of the VPN gets routed to ipsec0), but you still have to setup basic > networking (including routing) on the VPN gateway, as well as duplicate some > routing information in FreeS/WAN's configuration file (due to limitations > with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use > the kernel's routing information, so this had to be duplicated in the > FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, > the kernel IPSec code). > > > Also, what if the ipsec router is not the > > default gateway for a machine that you are trying to ping from > > elsewhere? Do the pings try to return through the wrong router? > > If the VPN gateway is *NOT* the default router for the subnet, EACH AND > EVERY HOST that wants to talk to the remote end of the VPN needs a static > route directing those packets to the VPN gateway. > > Your life will be *MUCH* easier if the VPN gateway is also the default > gateway for your subnet. If you are required to use an alternate firewall > for some reason, you may find a "series" configuration might work better > than trying to parallel the VPN gateway and your existing firewall, ie: > > internet > | > firewall > | > VPN Gateway > | > internal network > > Rather than: > > internet > | > +----------\ > | | > firewall VPN Gateway > | | > +----------/ > | > internal network > > If your firewall is "fancy" enough, you may also be able to setup something > like: > > internet > | > firewall --- VPN Gateway > | > internal network > > Where you add a static route to the firewall (forwarding internal network -> > VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route > inbound IPSec traffic to the VPN gateway box, as well. > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user