Michael D. Schleif wrote:
No...it will fail miserably. That's what I get for answering e-mail early in the AM. You really want:Charles Steinkuehler wrote:ipchains -I input -j MASQ -s 192.168.11.0/24 -d 192.168.1.0/24 -i ipsec0Will this work? man ipchains(8) states, ``MASQ is only legal for the forward and user defined chains ...''
ipchains -I forward-j MASQ -s 192.168.11.0/24 -d 192.168.1.0/24 \
-i ipsec0
As you realized...sorry. :<
This won't work until the MASQ rules are properly in place. I'd try pinging from 192.168.1.40 to pinktrout, or from pinktrout to 192.168.1.40 to verify the VPN is up & working properly first. THEN you can try adding the MASQ rule and pinging from 192.168.11.10 to 192.168.1.40.At this point, you should be able to ping 192.168.1.0/24 network systems from systems on the 192.168.11.0/24 behind pinktrout. You should also be able to ping pinktrout's public IP from systems behind bluetrout, with all traffic going through the VPN.What I'm trying to show on <http://www.helices.org/tmP/pinktrout.txt> is 192.168.11.10 pinging 192.168.1.40 -- which does *NOT* work, nor can I find any dump nor log to illustrate the nature of the failure.
Yes.IMPORTANT: At *NO TIME* will you be able to directly ping (or otherwise talk to) any systems behind pinktrout from systems behind bluetrout, due to the masquerading rules in place. As far as the systems behind bluetrout are concerend, they are communicating with one, and only one, IP, which is the public IP of pinktrout. In other words, the systems behind pinktrout are hidden from the systems behind bluetrout the same way all internal networks are hidden from the internet in general by a masquerading firewall.I am pretty sure that I'm coming to grasp all of the ramifications of this vpn. My illustrations attempt to maintain a sort of symmetry, pinging from similar positions on each opposing network, &c.Is this a forward chain that you had in mind? $IPCH -I forward -j MASQ -d 192.168.1.0/24 -s 192.168.11.0/24
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html