Please excuse me if this is not the correct forum for VPN and firewall issues on SuSE. I am trying to setup an ipsec VPN between two private subnets, and I have run into a snag that I cannot resolve. The VPN establishes itself fine, and I can connect from any machine on the right subnet to any machine on the left subnet, but not vice versa. Here's the setup: 192.168.1.0/24===a.a.a.a---b.b.b.b...c.c.c.c---d.d.d.d===192.168.200.0/24 "a.a.a.a" is the external interface of a SuSE 10.0 box which masquerades machines on the internal 192.168.1.0/24 subnet. "b.b.b.b" is its nexthop router. "d.d.d.d" is the external interface of my home linksys AG241 DSL router. "c.c.c.c" is its nexthop router (at the ISP). I have an ipsec, pre-shared key tunnel from a.a.a.a to d.d.d.d. The SuSE box is running it with OpenSwan, the linksys router is just set up via the normal linksys configuration (which may well be OpenSwan under the hood). Everything works fine from right-to-left - ie all machines on the 192.168.200.0 subnet behind the linksys router can see all machines on the 192.168.1.0 subnet behind the SuSE box. But nothing works from left-to right; neither the SuSE router box itself, nor from any machines on the 192.168.1.0 subnet behind it can see any machines on the 192.168.200.0 subnet at the other end of the tunnel. This seems to me like it must be a routing problem, but I can't for the life of me work out how to fix it. I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled forwarding between the two subnets by setting FW_FORWARD in /etc/sysconfig/SuSEfirewall2: FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \ 192.168.200.0/24,192.168.1.0/24,,,ipsec" I have explicitly disabled NAT of packets between the two subnets by adding the following line to the fw_custom_before_port_handling() section of /etc/sysconfig/scripts/SuSEfirewall2-custom: iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \! 192.168.200.0/24 -j MASQUERADE the tunnel config in /etc/ipsec.conf looks like: conn net-to-net # Key exchange method authby=secret # Left security gateway, subnet behind it, nexthop toward right. left=a.a.a.a leftsubnet=192.168.1.0/24 leftnexthop=b.b.b.b # Right security gateway, subnet behind it, nexthop toward left. right=d.d.d.d rightsubnet=192.168.200.0/24 rightnexthop=c.c.c.c auto=start Any suggestions? Thanks, Jonathan Baxter