Hi all! I have a VPN/SuSEfirewall2 problem. There is the following setup: @HOME: small LAN connected to the internet via SuSE 7.3 box (kernel 2.4.10, SuSEfirewall2), firewall/IP forwarding/masquerading works fine without VPN. There are the following network interfaces: eth0 = home LAN (192.168.0.0/24) eth1 = interface for rp-pppoe ppp0 = external interface (given by DSL provider) @WORK: Cisco VPN 3000 concentrator So far, two things worked: 1) From behind the Linux firewall I can use the (lame.. :)) Windows client (proprietary Cisco) and connect just fine. 2) From the Linux firewall, I can run the Linux client (uses a kernel module cisco_ipsec compiled for my system from Cisco sources) and then I can connect to the Cisco concentrator. The problem with 2), however, is that I can *ONLY* connect the Linux box to the VPN, and not the local LAN to the VPN. In fact, once the VPN connection is up, I can only use the VPN!!! A ping to something behind eth0 doesn't work. :( Ok, I tried the following things: 1) FW_SERVICES_EXT_UDP="500" has to be there, otherwise the IPSEC traffic cannot go through 2) FW_DEV_EXT="ppp0 cipsec0" I noticed that the Cisco kernel module opens "cipsec0", visible with "ifconfig -a". But, this didn't help. (BTW, FW_MASQ_DEV="ppp0" is set, and not $FW_DEV_EXT). I listed below the SuSEfirewall2 configuration which is doing fine without VPN. Any help is really appreciated... Best regards, Michael cat /etc/rc.config.d/firewall2.rc.config | egrep -v "^$|^#" FW_DEV_EXT="ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ppp0" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh 139" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" # Beware to use this! FW_FORWARD_MASQ="" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"