Hello, I've a little problem with denied packets if I use SuSEfirewall2 for protecting the VPN-Gateway. I get messages like this if I ping (or try to get a other connection like ssh) to a System in the internal Network through the ipsec tunnel: Oct 20 20:13:16 gigant kernel: SuSE-FW-UNALLOWED-TARGETIN=ipsec0 OUT= MAC=00:05:5d:0a:93:00:00:09:5b:24:3e:67:08:00 SRC=192.168.2.2 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=25665 SEQ=1280 192.168.1.0/24 is the internal network which should be accessed from the Roadwarriors through ipsec from all other networks (in this test-case the roadwarrior is 192.168.2.2). My SuSEfirewall2 setup : FW_DEV_INT="eth0" # 192.168.1.0/24 FW_DEV_DMZ="eth1 ipsec0" # 192.168.2.0/24 FW_ROUTE="yes" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="500" FW_SERVICES_DMZ_IP="50 51" FW_FORWARD="192.168.1.0/24,192.168.2.0/24 192.168.2.0/24,192.168.1.0/24" Without the firewall all works fine. Can someone see my mistakes ? With the iptables-rules I can start the ipsec-tunnel and I can ping the IP (192.168.2.1) of the ipsec-Gateway. And all what I see are ESP-packets on the wire .. so I think the tunnel is ok. thanks a lot, -mael -- email: mael@m-ellinger.de -> www: http://www.m-ellinger.de GPG-Key: http://www.m-ellinger.de/output/mael.gpg Mitglied der Zwickau Linux User Group zLUG e.V. http://www.zlug.org