Got it. On 08/29/13 10:44 pm, Lewis G Rosenthal thus wrote : > Hi, Scott... Thanks for the quick reply. > > On 08/29/13 08:13 pm, Scott Edwards thus wrote : >> You can enable forwarding via echo 1 > /proc/sys/net/ipv4/ip_forward >> (or something like that, I'm a road warrior right now, no linux box in >> sight) >> > Indeed, this is how I did it, as well as: > > echo 1 > /proc/sys/net/ipv4/ppp0/ip_forward > > (and ensuring the ipv4/eth0/ip_forward was present) > Under openSUSE 12.3 (as guest), I ensured that /proc/sys/net/ipv4/ip_forward was enabled, as was /proc/sys/net/ipv4/conf/all/forwarding (which ensures that when ppp0 is created, forwarding is enabled on that interface). >> As for masqurading, that may be necessary, as Cisco is more strict on >> the IPsec VPN tunnel. The ACL that directs traffic to the VPN is also >> responsible for dropping traffic that does not match. The only way to >> be rather flexible with that, is to do IPsec over GRE, but this >> clashes with your design needs on a few different angles. >> > Yes. >> If the Linux host has success communicating to the IPsec peer, then it >> should be able to say, >> iptables -A OUTPUT -o ppp0 -j MASQUERADE >> > I think this is where I fell short somehow. I believe I entered this as > a POSTROUTING rule; perhaps that was my error vs OUTPUT (see > http://www.tldp.org/HOWTO/html_single/Masquerading-Simple-HOWTO/ per the > dial-up connection summary). I did not NAT it, however (as mentioned in > the example). Hmmm... > Yep. Got it: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE (this can be saved across boot sessions by using, e.g., /etc/sysconfig/scripts/SuSEfirewall2-custom) Then, in the host (and I tested this under eComStation, too, as it's quite simple): route add -net <remote_protected_subnet> netmask <netmask_of_remote_protected_subnet> gw <local_IP_or_FQDN_of_guest> or, for eComStation (OS/2): route add -net <remote_protected_subnet> <local_IP_or_FQDN_of_guest> -netmask <netmask_of_remote_protected_subnet> Done! Thanks for kicking this around with me, Scott. Cheers -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, RTRP, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com Need a managed Wi-Fi hotspot? www.hautspot.com Warpstock 2013 - Atlanta, GA - Oct 4-6 www.warpstock.org visit my IT blog www.2rosenthals.net/wordpress ------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
