Hallelujah. It works. I changed: FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \ 192.168.200.0/24,192.168.1.0/24,,,ipsec" to: FW_FORWARD="192.168.1.0/24,192.168.200.0/24 \ 192.168.200.0/24,192.168.1.0/24" ie, dropped the "ipsec" flag. The documentation in SuSEfirewall2 seems to imply that the ipsec flag should be there, so maybe this is a bug: # Examples: # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \ # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa # provided that both networks are connected via an # IPsec tunnel. It may be worth adding a remark to /usr/share/doc/packages/openswan/README.SUSE listing the parameters that need to be configured in SuSEfirewall2 for network-network ipsec to work (assuming you want to use both ipsec VPN and the SuSE firewall together. Personally I like the SuSE firewall configuration, which is why I wasted so much time on this....). Thanks to everyone who replied. - Jonathan