Charles Steinkuehler wrote: <snip />
> You should have a host-subnet VPN, linking pinktrout's public IP with > the 192.168.1.0/24 behind bluetrout. With no advanced routing rules and > no masquerade rules in place, you will *NOT* be able to communicate > either between host-host (pinktrout - bluetrout) or subnet-subnet > (192.168.11.0/24 - 192.168.1.0/24). You will *ONLY* be able to ping > between host-subnet (pinktrout - 192.168.1.0/24), and systems on the > 192.168.1.0/24 side must be behind the bluetrout router (ie not > bluetrout itself). > > So...try pinging from pinktrout to machines on the 192.168.1.0/24 > network (and vice-versa), which should work. > > Once you can accomplish the above pings, you need to add masquerading > rules so traffic from the 192.168.11.0/24 network gets masqueraded > behind pinktrout's public IP, and routed across the VPN...something like: > > ipchains -I input -j MASQ -s 192.168.11.0/24 -d 192.168.1.0/24 -i ipsec0 Will this work? man ipchains(8) states, ``MASQ is only legal for the forward and user defined chains ...'' > At this point, you should be able to ping 192.168.1.0/24 network systems > from systems on the 192.168.11.0/24 behind pinktrout. You should also > be able to ping pinktrout's public IP from systems behind bluetrout, > with all traffic going through the VPN. What I'm trying to show on <http://www.helices.org/tmP/pinktrout.txt> is 192.168.11.10 pinging 192.168.1.40 -- which does *NOT* work, nor can I find any dump nor log to illustrate the nature of the failure. > IMPORTANT: At *NO TIME* will you be able to directly ping (or otherwise > talk to) any systems behind pinktrout from systems behind bluetrout, due > to the masquerading rules in place. As far as the systems behind > bluetrout are concerend, they are communicating with one, and only one, > IP, which is the public IP of pinktrout. In other words, the systems > behind pinktrout are hidden from the systems behind bluetrout the same > way all internal networks are hidden from the internet in general by a > masquerading firewall. I am pretty sure that I'm coming to grasp all of the ramifications of this vpn. My illustrations attempt to maintain a sort of symmetry, pinging from similar positions on each opposing network, &c. Is this a forward chain that you had in mind? $IPCH -I forward -j MASQ -d 192.168.1.0/24 -s 192.168.11.0/24 -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html