Hi list-users, trying to setup SuSEfirewall2 (SuSE 9.3) to work with IPSEC, but with no success. tunnel is up, but packets who should go through tunnel did not go through. Any help would be appreciated. Here some info about my config: I'm using DSL with fixed IP. VARS from SuSEfirewall2: FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 eth1" # eth0 192.168.101.0/24 FW_MASQ_NETS="192.168.101.0/24 172.16.17.0/29 0/0,!192.168.2.0/24" FW_SERVICES_EXT_UDP="37 53 123 500 873 922 2401 4500" FW_SERVICES_EXT_IP="esp" FW_FORWARD="\ 172.16.17.0/29,192.168.101.0/24,ICMP \ 192.168.101.0/24,172.16.17.0/29,ICMP \ 172.16.17.0/29,192.168.101.220,tcp,19226 \ 192.168.101.220,172.16.17.0/29,tcp,19226 \ 192.168.101.0/24,192.168.2.0/24,,,ipsec \ 192.168.2.0/24,192.168.101.0/24,,,ipsec \ 192.168.101.0/24,192.168.68.0/24,,,ipsec \ 192.168.68.0/24,192.168.101.0/24,,,ipsec" FW_IPSEC_TRUST="no" ################## hades:/etc/sysconfig # iptables -L -n -t nat Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.101.0/24 0.0.0.0/0 MASQUERADE all -- 172.16.17.0/29 0.0.0.0/0 MASQUERADE all -- 0.0.0.0/0 !192.168.2.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination ################## hades:/etc/sysconfig # setkey -D xxx.xxx.xxx.188 xxx.xxx.xxx.138 esp mode=tunnel spi=3117414419(0xb9cff813) reqid=16385(0x00004001) E: 3des-cbc 334fec87 9c497e97 2ee43f9b d70dfe2a 65ae72e0 cb08c64b A: hmac-md5 177d6696 9e1143ec 102ec467 f2e8d9bf seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Sep 4 18:29:37 2006 current: Sep 4 21:36:02 2006 diff: 11185(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=28506 refcnt=0 xxx.xxx.xxx.138 xxx.xxx.xxx.188 esp mode=tunnel spi=2811047203(0xa78d2d23) reqid=16385(0x00004001) E: 3des-cbc 47767294 28a98de2 34a641be e1606fcc 16837566 ----------------------------------------- Diese E-Mail wurde durch SquirrelMail versandt "Webmail for nuts!" ----------------------------------------- Bereitgestellt fuer Kunden von Scorpio IT http://www.scorpio-it.net