Quoting Les Mikesell <lesmikesell@xxxxxxxxx>: >> I've just ran into one interesting problem with this approach. Seems that >> Netfilter is getting confused or something... Or at least I wasn't >> been able >> to make an usable config. > > Does ifconfig show the GRE tunnel as a PTP interface or something with > a reasonable netmask? If something is trying to figure out how to > access it, you might want to make it look like a 4-host subnet > (netmask 255.255.255.252) using the 2 usable addresses for the > endpoints. Well, after some debugging, the problem seems to be that Netfilter is not placing returning packets into establieshed state for direct connections between VPN gateways (public addresses, those that should not go through GRE tunnel, just IPSec encrypted). If I use private interface addresses of VPN gateways (so that packets go through GRE tunnel, and then IPSec), things seem to work OK. However, I still need to do some additional testing. Have you seen something like that before? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.