I thought I'd take a step back from the problem and describe exactly what it is that I'm trying to accomplish. What we've got is an office of PC's that are running Windows 2000 Professional inside of VMWare on top of SuSE linux 7.3 This is rather amusing, watching W2K run "in jail" and it has no idea. :-) We're developing for a client in W2K, which is why we're running it at all. (Money's gotta come in from somewhere). ;-) The office runs on a private subnet of 192.168.1.0/24. At the front end of this office is a SuSE 7.3 box running SuSEfirewall2 2.1. It's name is: fire01 We have a DSL connection at the front of this office which comes into a router of 1.2.3.73. Our firewall sits at 1.2.3.74 and gateways to 1.2.3.73. (No, those aren't real addresses) ;-) Okay, that describes the office. Now over to the client's site: They have a CISCO Pix Firewall with a bank of addresses. Currently, an address of 5.6.7.220 is bound to an internal address of 10.100.0.26, and only port 22 tcp (SSH) is allowed through. 10.100.0.26 is a SuSE 7.3 box which will be (but is not yet) running SuSEfirewall2 2.1. It only has one NIC card, and I'll explain why here in a bit. It's name is fire03. Another machine on the inside is 10.100.0.17, which is a Windows based development server offering file storage and Microsoft SourceSafe storage of the source code we'd like direct access to from our 192.168.1.0/24 subnet at our office, hidden behind 1.2.3.74/32. So that brings me to the problem at hand: I need a securely encrypted connection between fire01 and fire03. I have this so far using SSH. I have created a user called 'vpn' on both fire01 and fire03, and they have cross-permitted public RSA keys and can ssh back and forth at will (without passwords). Similarly, I've set this up for the root accounts. What I want to accomplish is a secure connection between fire01 at 1.2.3.74 and fire03 at 10.100.0.26, already behind the Pix at 5.6.7.220, such that the machines behind fire01 at 192.168.1.0/24 can see the Microsoft development server at 10.100.0.17 on the client's network. I want to be able to use SuSEfirewall2 on both sides to ensure that ONLY 10.100.0.17 has permissions to talk through fire03, and that only 10.100.0.17 is reachable through our tunnel. (We want to limit the scope of the VPN connection to safeguard our client as much as possible.) I also want to ensure that though 10.100.0.17 is permitted to answer our 192.168.1.0/24 workstations behind fire01, that it is not permitted to see inside our network - the client doesn't have a need to access our internal network, and I must protect _our_ security as well. Lastly, it's got to be seamless. Our 192.168.1.0/24 machines should see the development server at 10.100.0.17 on the client side as if it were a 192.168.1.0/24 machine (let's say 192.168.1.17 for argument's sake, I can leave that IP open) :-) I've tried IPSEC, but haven't been quite able to get it running. I've tried various SSH methods with scripts, but either I'm lacking understanding, or the config isn't right, or... *sigh* Oh: fire01 is up and running with SuSEfirewall2 - taking that protection offline is _not_ an option. The fire03 machine behind the Pix is already being protected by the pix so I've got a bit more freedom to play there. Hopefully someone can help me attack and slay this dragon. I really need a solution that works. Argentium