Jonathan Baxter wrote:
[...] But nothing works from left-to right; neither the SuSE router box itself, nor
The router itself cannot reach the subnet on the other side if you use it's external IP as source. You'd need a second tunnel for that.
from any machines on the 192.168.1.0 subnet behind it can see any machines on the 192.168.200.0 subnet at the other end of the tunnel. [...] I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled forwarding between the two subnets by setting FW_FORWARD in /etc/sysconfig/SuSEfirewall2:
FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \ 192.168.200.0/24,192.168.1.0/24,,,ipsec"
Looks correct.
I have explicitly disabled NAT of packets between the two subnets by adding the following line to the fw_custom_before_port_handling() section of /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \! 192.168.200.0/24 -j MASQUERADE
Packets to 192.168.200.0/24 do not match that rule and fall through to the rule SuSEfirewall2 creates I guess. Try FW_MASQ_NETS="0/0,!192.168.200.0/24" cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/