Hi!

I have a suse 9.2 running and enabled with NAT/MASQUERADE.
It has two network cards:

1) External (on the internet)
2) Local Network

My computer (windows) on my LAN has no trouble accessing ANY services
on any other hosts both internally and externally.

The rules in the iptables-firewall are very simple. In effect they block all
incoming except established and related + allow everything from inside
outwards and NATs.

When I try to connect the windows-machine to the other VPN-peer I get an
indication on both the (external) VPN-box and my windows saying that IKE
handshake is ok and a tunnel is in fact up and running. The VPN-Box logs
also say that it's discovered NAT "on the other side" (my windows that is).

The problem is that I can't ping the other side even though the tunnel is up.

This leads me to think that ESP is not handled correctly by my local linux firewall.

If I connect the windows PC onto internet I have no problem at all pinging
and generally connecting to the "other side" of the VPN-peer.

Thus my question is:

What would my iptables-rules be in order to make the ESP-traffic work.

I've also read that if NAT is in the picture there will be UDP-encapsulation of
traffic. Could this be a problem?

I've read through various vpn-howtos and ipsec-howtos, trying out different
firewall rules with no success.

The involved equipment is:

Netscreen 5XP (VPN-box at work)
Windows 2000 with Netscreen software.
SuSE linux 9.2 (NAT).

Hope to hear from you guys!

This is a general "issue" with VPN access - you need to have a static NAT for your Windows box, and permit esp and GRE to that box from outside (at least from the VPN server on the other side).
Regards,
Boris.

Aha - So I have to nat ESP (and maybe AH) inwards too?

Thanks I'll give it a try!