I think you are probably right. I do have forward rules to allow traffic between both my private 192.168.9 and 192.168.3. And those rules are added by myself in /etc/ipfilter.conf (based on what you did for DMZ, your DMZ is one-way, mine is 2-way). I will try to disable it asap, but my question is if I can still have traffic between my private networks and at the same time ipsec to remote private?
Also I think I should use your scripts /etc/ipchains.input, /etc/ipchains.forward /etc/ipchains.output for those rules rather than inventing my own (and messing up things -:() but I cannot find them as examples. Could you help in this regard. And yes, I try to log protocol 50 and even 51 but nothing showed in my log. Again something is wrong here too. Thanks. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Thursday, April 25, 2002 8:47 AM To: MLU Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help .... The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. > On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) > > # ip route > 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 > 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 > 192.168.1.0/24 via 24.83.28.1 dev ipsec0 > 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 > 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 > 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 > default via 24.83.28.1 dev eth0 > > > and right side (internal 192.168.1, wants to talk to 192.168.9 via > ipsec): > > # ip route > 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 > 192.168.9.0/24 via 24.76.92.1 dev ipsec0 > 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 > 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 > default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user