Hi All,<br><br>I have a subnet-to-subnet vpn connection like this<br><br>subnet1 <a href="http://10.10.0.0/16">10.10.0.0/16</a><br> |<br> |<br>(eth0) <a href="http://10.10.1.1">10.10.1.1</a> |<br> |<br>linux(SLES10.1
)<br> |<br>(eth1) <a href="http://10.0.0.7">10.0.0.7</a><br> |<br> |<br> switch <-> <a href="http://10.1.1.1">10.1.1.1</a> <-> DSL Modem <-> Internet<br> |<br> |<br>(eth1) <a href="http://10.0.0.5">
10.0.0.5</a><br> |<br>linux(SLES10.1)<br> |<br>eth0 <a href="http://10.20.1.1">10.20.1.1</a><br> |<br> |<br>subnet2 <a href="http://10.20.0.0/16">10.20.0.0/16</a><br><br>My ipsec.conf like this<br><br>#ipsec.conf starts
<br>version 2.0<br><br>config setup<br> interfaces=%defaultroute<br><br>conn %default<br> authby=rsasig<br> type=tunnel<br><br>conn net1-net2<br> left=<a href="http://10.0.0.7">10.0.0.7</a><br>
leftsubnet=<a href="http://10.10.0.0/16">10.10.0.0/16</a><br> leftid=@left<br> leftsourceip=<a href="http://10.10.1.1">10.10.1.1</a><br> leftrsasigkey=0sAQO...<br> leftnexthop=<a href="http://10.1.1.1">
10.1.1.1</a><br> right=<a href="http://10.0.0.5">10.0.0.5</a><br> rightsubnet=<a href="http://10.20.0.0/16">10.20.0.0/16</a><br> rightid=@right<br> rightsourceip=<a href="http://10.20.1.1">10.20.1.1
</a><br> rightrsasigkey=0sAQN...<br> rightnexthop=<a href="http://10.1.1.1">10.1.1.1</a><br> auto=start<br><br>include /etc/ipsec.d/examples/no_oe.conf<br>#ipsec.conf ends<br><br>Also I have SuSEfirewall2 and its configuration like this
<br><br>FW_DEV_EXT=eth1<br>FW_DEV_INT=eth0<br>FW_ROUTE=yes<br>FW_MASQUERADE=no<br>FW_SERVICES_EXT_UDP=ipsec-nat-t isakmp<br>FW_SERVICES_EXT_IP=esp<br>FW_SERVICES_INT_UDP=ipsec-nat-t isakmp<br>FW_SERVICES_INT_IP=esp<br>FW_FORWARD=
<a href="http://10.10.0.0/16,10.20.0.0/16,,,ipsec">10.10.0.0/16,10.20.0.0/16,,,ipsec</a> /<br><a href="http://10.20.0.0/16,10.10.0.0/16,,,ipsec">10.20.0.0/16,10.10.0.0/16,,,ipsec</a> #for left<br>FW_ALLOW_CLASS_ROUTING=yes
<br>FW_IPSEC_TRUST=int<br><br>I think my vpn connection works correctly<br>#ipsec auto --status<br>"net1-net2": <a href="http://10.10.0.0/16===10.0.0.7[@left.domain]---10.1.1.1...10.1.1.1---10.0.0.5[@right.domain]===10.20.0.0/16">
10.10.0.0/16===10.0.0.7[@left.domain]---10.1.1.1...10.1.1.1---10.0.0.5[@right.domain]===10.20.0.0/16</a>; erouted; eroute owner: #4<br><br>My problem is;<br>i can not ping "<a href="http://10.1.1.1">10.1.1.1</a>" from a subnet machine (for example
<a href="http://10.10.1.2">10.10.1.2</a>) so i can not connect to the internet from subnets.<br><br>when i use masquerading<br>FW_MASQUERADE=yes<br>FW_MASQ_NETS=<a href="http://10.10.0.0/16">10.10.0.0/16</a> #for left<br>
<br>my vpn connection dies but i have a internet connection. for example <br>- i can not ping "<a href="http://10.20.1.2">10.20.1.2</a>" from "<a href="http://10.10.1.2">10.10.1.2</a>"<br>- i can ping "
<a href="http://10.20.1.1">10.20.1.1</a>" from "<a href="http://10.10.1.2">10.10.1.2</a>"<br>- i can ping "<a href="http://10.20.1.1">10.20.1.1</a>" from "<a href="http://10.10.1.1">10.10.1.1
</a>"<br>- i can ping "<a href="http://10.1.1.1">10.1.1.1</a>" from "<a href="http://10.10.1.2">10.10.1.2</a>"<br><br>How can handle this ? Should I trun off masquerading and use squid ?<br><br>Any suggestions ?
<br><br>Thanks a lot..<br>