Sorry guys, totally dead brain today .. .;-) ports are udp/500 (isakmp) protocol is 50 if using ESP and 51 if using AH (this is optional, at least for me) what about FW_ROUTE="yes" ? other comments inline Regards from Germany, Philipp J J schrieb:
--- SNIP ---
This is an extract from my current /etc/sysconfig/SuSEfirewall2...
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0"
I think you have to put ipsec0 here to EXT as well ! FW_DEV_INT="eth0 ipsec0"
FW_DEV_DMZ="" FW_ROUTE="no"
should be "yes"
FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="smtp ssh" FW_SERVICES_EXT_UDP="isakmp" FW_SERVICES_EXT_IP="esp ah"
Anyway I made a small amount of extra progress, at least in the way of ruling out problems. I decided to try connecting from the "jellybean" gateway itself to the "Bookman" LAN by creating adjusted entries in ipsec.conf and succeeded. Basically it worked right out of the box, I just removed the leftsubnet declarations on both sides - now the gateway can ping all the servers on the "Bookman" LAN and vice versa. This isn't the long term solution but does at least show that the boxes will talk to each other and send ipsec traffic correctly.
Plus I toyed with the latest rdesktop and maybe I can persuade people to use that instead of Win 2k boxes with MSTSC client anyway! :) (ha!)
But I'm still not sure why the SuSE 8.2 box is misbehaving and dropping my packets. Do you have any idea how I switch on debugging on the kernel routing code??
-- SNIP -- You know that there is a problem to ping the vpn-gateway machine itself ? there is a trick (documented in a c't magazin article some days ago) to implement iptables rules to route this icmp messages as well to simply "test the connection". HTH, Philipp