Hi. I have been trying to setup a few tunnels between two private subnets over the internet. The GW computers should also act as masquerading firewalls for the users on the subnets. The GW computers is running SuSE 8.0. My goals is the following: #1. Allow the users on the subnets to reach each other #2. The GW computers should be able to reach the opposite subnet #3. The GW computers should be able to talk to each other. (Does not *have* to be IPsec, SSH is enough). I have managed to fullfill #1 together with #3, but not without troubles. I had to make minor changes in /etc/init.d/SuSEfirewall2_setup, adding ipsec to the row containing Required-Start: Then I went into yast2, runlevel editor and made a reset of the runlevels. I am sure this could also be done from the cmdline... The reason I did this was because ipsec has to be loaded before the firewall, otherwise it would not load the rules correctly for the ipsec0 interface. The following tunnel was set up in /etc/ipsec.conf on both GW's to get this tunnel to work: ---------------- conn xpfwlsn-xpfwnsn # Subnet to subnet # Left security gateway, subnet behind it, next hop toward right. left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 # Right security gateway, subnet behind it, next hop toward left. right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add auto=start ----------------- To manage to fulfill #2 i also added the following tunnels in ipsec.conf: ----------------- conn xpfwlsn-xpfwn # Subnet to gateway # Left security gateway, subnet behind it, next hop toward right. left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 # Right security gateway, subnet behind it, next hop toward left. right=194.194.194.200 # rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add auto=start conn xpfwl-xpfwnsn # Gateway to subnet # Left security gateway, subnet behind it, next hop toward right. left=193.193.193.200 # leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 # Right security gateway, subnet behind it, next hop toward left. right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add auto=start ----------------- ... but it does not work. I suspect SuSEfirewall2 to be the reason (or more correctly, my configuration of the firewall). My /etc/sysconfig/SuSEfirewall2 config (only diff's from /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf): ----------------- FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50" FW_FORWARD="192.168.1.0/24,192.168.3.0/24 192.168.3.0/24,192.168.1.0/24" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" ----------------- If I ping a computer on subnet 192.168.1.0/24 from the opposite network GW i get this in /var/log/messages on the recieving GW: Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44295 SEQ=3584 Jul 3 14:31:43 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44295 SEQ=3840 How can I get SuSEfirewall2 to allow this traffic? And for #3: When I have enabled the tunnels conn xpfwlsn-xpfwn and xpfwl-xpfwnsn the traffic from GW1 to GW2 is silently dropped. Using snort (sniffer) I can see that the data is encapsulated on ipsec0 but no data is sent on eth0 ! The data between the subnets still flows correctly in the tunnel. I would be very happy for *any* info on this matter. It is driving me crazy... Stefan.