> > Look at your local routing setup (ip route or netstat -nr). Make sure there > > is a route directing packets destined for the far end of the VPN to the > > ipsec device. > > Ok, so what you are saying is that on the ipsec router, I should > associate the external private subnet with device ipsec0, ie > > route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 > > That is, don't forward the external private subnet to the external IP or > the external device, but ipsec0. > I think from this I also need to turn on bidirectional IP forwarding > (ipchains) between masq'ed subnets. I had turned this on before, but I > don't think the previous "route add" statement is set. Doing this from > 30 miles away makes it a bit harder.
You *DO* have to add firewall rules to allow the packets to be forwarded, and the IPSec traffic to get in/out of the box. You should *NOT* have to directly play with any routing...the FreeS/WAN scripts should set all the routing up when the connections get built. NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry about the firewall rules either... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user