Does it work with ipsec flag if you change
IPSEC_MATCH="-m policy --dir in --pol ipsec --proto esp"
to
IPSEC_MATCH="-m policy --pol ipsec --proto esp"
in /sbin/SuSEfirewall2?
/sbin/Susefirewall2 barfs with that change: SuSEfirewall2: batch committing... iptables-batch v1.3.3: policy match: neither --in nor --out specified Try `iptables-batch -h' or 'iptables-batch --help' for more information. Looks like you have to specify a direction. So I added two new variables to /sbin/SuSEfirewall2: IPSEC_INPUT_MATCH="-m policy --dir in --pol ipsec --proto esp" IPSEC_OUTPUT_MATCH="-m policy --dir out --pol ipsec --proto esp" and then used IPSEC_INPUT_MATCH in place of IPSEC_MATCH for the input chain, and added IPSEC_OUTPUT_MATCH to the forward chain. So the "allow_ipsec()" function becomes: allow_ipsec() { if [ -n "$ipsec_chain" ]; then $IPTABLES -A INPUT -j "input_$ipsec_chain" $IPSEC_INPUT_MATCH $IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_INPUT_MATCH $IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_OUTPUT_MATCH fi } and the forwarding_rules() function becomes: forwarding_rules() { local nets net1 net2 flags more_args_in more_args_out chain for nets in $FW_FORWARD; do IFS=, eval set -- \$nets net1="$1" net2="$2" proto="$3" port="$4" flags="$5" rport="" more_args_in= more_args_out= case "$flags" in "") ;; ipsec) more_args_in="$IPSEC_INPUT_MATCH" more_args_out="$IPSEC_OUTPUT_MATCH" ;; *) echo "Error: unsupported flag in FW_FORWARD: $flags" net1="" ;; esac if [ -n "$proto" ] && ! check_proto_port "$proto" "$port" '' "FW_FORWARD"; then continue fi if [ -n "$net1" -a -n "$net2" ]; then for chain in $forward_zones; do chain=forward_$chain $LAC $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_in $LAC $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_out $LAA $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_in $LAA $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_out $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out done else error "too few parameters in FW_FORWARD -> $nets" fi done } (there's almost certainly a better way to do this, but this was the quickest way for me to hack /sbin/SuSEfirewall2 as-is). Anyway, with those changes the router/firewall box will forward through the tunnel in both directions, with the ipsec flag set in FW_FORWARD. Thanks again for all your help. I can send you my ugly hacked SuSEfirewall2 script if you want it :) Cheers, Jonathan