On Sunday 16 February 2003 04:47 pm, Erich Titl wrote: > > 194.124.158.98 --- eth0 > ------------------ > > | bering box | valleygate ipsec end point and should NAT from ipsec0 and > > eth1 > ------------------ > 192.168.10.1 --- eth1 > > | ---- zone referenced as nocat in shorewall set up > | ---- simulates a wireless connection > > 192.168.10.2 --- eth1 > ------------------ > > | bering box | mountaingate ipsec end point > > ------------------ > 192.168.20.1 --- eth0 > > 192.168.20.0/24 upper end subnet
OK, ipsec0 is listening on eth1 (valleygate), correct? After ipsec0 receives and un-encrypts the packets, the true ip information is also unwrapped and interpreted as the actual 192.168.20.0 address that the package was sent from. If this did not hold true, your "mountaingate" LAN client could never receive a reponse from the "valleygate" subnet. I imagine that treating the "mountaingate" subnet as a local network on "valleygate" via ipsec0 in Shorewall will likely solve your problem. This would also allow the "wireless" link to remain encrypted. I hope this helps! -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
