Hi, after weeks of reading FAQ's, guides and everything I found about firewalls and FreeS/WAN I still have a big problem. But first I describe what is working and my network setup: roadwarrior (a.b.c.d) | internet | (d.e.f.g, static ip, ext. device, eth1, ipsec0) gateway with SuSE 8.2 and FreeS/WAN (10.10.11.3, int. device, eth0) | (10.10.11.0/24, int. network) LAN IPSec connection between roadwarrior and gateway external device works without any problem. But no matter what I try, if I try to ping the gateway's internal device (10.10.11.3) or the internal network I always get SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=256 *SRC=xxx.xxx.xxx.x is the adress of my roadwarrior I did set up the Firewall as described in /usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4: FW_DEV_EXT="eth1 ipsec0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="10.10.11.0/24" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d" a.b.c.d is the adress of my roadwarrior I left all other options default for testing the IPSec connections. Even without routing and masquerading I still get the error above and the above settings for routing forwarding and masquerading did not change anything. I also tried to make a custon updown script to be executed when ipsec0 comes up, that didn't change anything too. If the firewall is disabled I can ping the gateway's internal device (10.10.11.3) from an external IPSec connection. With the firewall enabled I can only access the external device of the gateway - I cannot ping to the internal network. Any suggestions what I am doing wrong here? I guess I have to use a custom updown script that allows traffic between the roadwarrior and the internal network and is executed each time an IPSec connection comes up. I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error: up-client:) iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;; down-client:) iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;; I checked the Pluto variables at execution time of the script and ip-adresses represented by those were correct. I appreciate any suggestions, thanks in advance, R. Peters