#3. The GW computers should be able to talk to each other. (Does not *have* to be IPsec, SSH is enough).
For IPSEC add the xpfwl-xpfwn definition, too..
----------------- FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50" FW_FORWARD="192.168.1.0/24,192.168.3.0/24 192.168.3.0/24,192.168.1.0/24" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" -----------------
I'm still strong in favour of putting ipsec0 into DEV_INT. You probably don't need FW_FORWARD, then...
And for #3: When I have enabled the tunnels conn xpfwlsn-xpfwn and xpfwl-xpfwnsn the traffic from GW1 to GW2 is silently dropped. Using snort (sniffer) I can see that the data is encapsulated on ipsec0 but no data is sent on eth0 !
See above. tunnel definition is missing.. Cheers, Robert