hy again! thanks for your answer!
> I'm fairly certain that you do need to setup some masquerading for this to > work. AFAIK masquerading is only needed if one part of the network is not able to address another directly (with its original IP), which should not be the case here. So I still hope I can do this with routing (hence the different subnets) instead of masquerading. > Also, why use two tunnels > instead of just one? It seems like you could achieve the same results buts > with just one tunnel. Yes it would be possible to do this with just one tunnel, but doing it with two has some configuration advantages. This way each VPN server has to know only how to reach its LAN (and push the corresponding route to its clients). But this two tunnel thingy is all based on the assumption that the way of the pakets can be different in the two directions. I will however test it with just one tunnel, though I think it should work with two too. I made a little sketch of the network layout as it is currently set up. It's attached as PNG. Roman
netzwerklayout.png
Description: PNG image
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
