Quoting "Kaiser, Hans" :

Hallo list,

I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24

So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3

[snip]

FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1"

As I understand it, SuSE Firewall was designed with the intention of only routing between Internal and External interfaces, not between two that are Internal or two that are External. So both eth0 and tun1 (shouldn't that be tun0?) should route out your ppp connection, but not between each other. What's the context of your environment? Offhand, I don't know the necessary changes to make those two route, perhaps someone else on the list does.

Hello Hans, I dont know openvpn, but with FreeSwan i had the same troubles. To get an working Tunnel i have modifyed SuSEfirewall-custom: iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 iptables -A OUTPUT -j ACCEPT -d 192.168.2.0/24 and the SuSEfirewall: FW_FORWARD="192.168.1.0/24,192.168.2.0/24 192.168.2.0/24,192.168.1.0/24 a.a.a.a/32,192.168.1.0/24 a.a.a.a/32,b.b.b.b/32 192.168.1.0/24,a.a.a.a/32" (a.a.a.a Gateway1 b.b.b.b Gateway2). try it. best regards. Am Donnerstag, 22. Juli 2004 22:40 schrieb Kaiser, Hans:

Hallo list,

I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24

So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3

Any Ideas, what is wrong?

My SuSEfirewall config:

My SuSEfirewall: FW_QUICKMODE="no" FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="8890:8893 http https ssh" FW_SERVICES_EXT_UDP="isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="ppp0,125" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="int" FW_IPSEC_MARK="" FW_LOG=""

My SuSEfirewall-custom: fw_custom_before_masq() { iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT

true }

Best regards, Hans

-- Mit freundlichen Gruessen Andreas