192.168.9 and .3 are my private, so adding the rule as you suggested is for them only, right.
For accessing 192.168.1 (the remote ipsec private), do I have to do the similar thing, i.e.: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b ^ Thank you. ---------- Original Message ---------------------------------- From: "Charles Steinkuehler" <[EMAIL PROTECTED]> Date: Fri, 26 Apr 2002 08:48:41 -0500 >> I think you are probably right. I do have forward rules to allow traffic >> between both my private 192.168.9 and 192.168.3. And those rules are >> added by myself in /etc/ipfilter.conf (based on what you did for DMZ, >> your DMZ is one-way, mine is 2-way). I will try to disable it asap, but >> my question is if I can still have traffic between my private networks >> and at the same time ipsec to remote private? >> >> Also I think I should use your scripts >> /etc/ipchains.input, >> /etc/ipchains.forward >> /etc/ipchains.output >> >> for those rules rather than inventing my own (and messing up things -:() >> but I cannot find them as examples. >> >> Could you help in this regard. >> >> And yes, I try to log protocol 50 and even 51 but nothing showed in my >> log. Again something is wrong here too. > >It sounds like you probably don't have forwarding rules in place for your >VPN traffic, so it's being denied before the packets get turned into VPN >data. Try adding the following to /etc/ipchains.forward: > >$IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.3.0/24 -b > >The ipchains.* files are simply sourced by the firewall scripts, so you can >add or insert ipchains rules as required. You can also use variables and >procedures from network.conf and ipfilter.conf (which is where $IPCH is >defined). > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user