Okay, I've got leg one of the IPSEC VPN up with SuSE 7.3. Public and many thanks to Nadeem Hasan. :-) What was stopping me at the last was that SuSEfirewall2's config file (/etc/rc.config.d/firewall2.rc.config) had two external interfaces defined (eth0 and ipsec0). Specifically: FW_DEV_EXT="eth0 ipsec0" A bit later on in the config, I declared the interface to masquerade on as the variable $FW_DEV_EXT, which meant both eth0 and ipsec0 were being masqueraded. ipsec0 can NOT be masqueraded! It confuses the heck out of IPSEC. :-) Specifically, what I had was: FW_MASQ_DEV="$FW_DEV_EXT" What it should have been and now is: FW_MASQ_DEV="eth0" Okay, on to my current dilemma. Everything up to now has been a testbed between two SuSEfirewall 7.3 machines running SuSEfirewall2 version 2.1, and Free S/WAN 1.91. Both the left and right machines had an external address that actually lived on the internet. Now I need to connect in a 'right side' that lives masqueraded behind a Cisco Pix firewall, but it is 1:1 bound with a live internet IP. Specifically: Address a.b.c.d is bound to internal address 10.100.0.26. Or in more detail, eth0 on this new machine is: IP: 10.100.0.26 Mask: 255.255.255.0 GW: 10.100.0.1 So on the right side of the ipsec.conf, what I'm thinking of using is: rightid=@rightid right=10.100.0.26 rightsubnet=10.100.0.0/24 rightupdown=/usr/lib/ipsec/_updown_custom rightrsasigkey=[snipped] auto=start On the left machine is when this becomes problematic... Now I need to define the right stuff differently I'll bet by using the external address instead of 10.100.0.26, since that's meaningless to the outside world. Something like: rightid=@rightid right=a.b.c.d rightsubnet=10.100.0.0/24 rightupdown=/usr/lib/ipsec/_updown_custom rightrsakey=[snipped] auto=start Have I understood this correctly? Comments? Thoughts? Am I in for a world of hurt here? :-) (Okay, that one's a given) Argentium