I have succesfully established a ppp link between two offices, from one linux firewall to another. In this scenario FW1 initates the connection to FW2, and the addressing is as follows:

(Workstation) 172.31.254.xxx <---> 172.31.254.1 (FW1 ) 172.31.241.1 <------------------ppp------------------> 172.31.240.1 (FW2) 172.31.244.1 <---> 172.31.244.xxx (Workstation)

After the ppp link is established, my routes on FW1 are as follows:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.31.240.1 * 255.255.255.255 UH 0 0 0 ppp0
174.110.57.0 * 255.255.255.128 U 0 0 0 eth3
172.31.254.0 * 255.255.255.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 eth3
default 174.110.57.1 0.0.0.0 UG 0 0 0 eth3

Now, a client (172.31.254.50) on the left network tries to ping the remote firewall at 172.31.240.1 but it never reaches the destination. Similarly, this client can't ping any workstation on the right (172.31.244.50). So I added the route:
route add -net 172.31.241.0 netmask 255.255.255.0 dev ppp0

But still not working..... So, my questions are:

1. What routes do I have to add on FW1 to enable the left network to ping/access the remote firewall (FW2) and remote workstations (172.31.244.x)
2. What routes do I have to add to FW2 to enable the reverse?
3. What is the best place to add these routes so they are added & deleted as the tunnel goes up and down? (eg: in the event of a link failure)

Thanks,
Michelle

To make things more interesting....here more info:

I can ping FW2 (172.31.240.1) from FW1. It correctly routes out FW1's ppp interface (172.31.241.1).

What's strange however, is that a workstation on the left LAN cannot ping FW2. The workstation has 172.31.254.1 (FW1 internal interface) set as its default gateway, but it appears that FW1 is routing the ping from the workstation out the EXTERNAL interface (174.110.57.1) and not out the PPP interface (172.31.241.1). (I can't be sure, but the tracert shows it going to devices not responding to tracert - just like my ISP's network).

Why would the firewall FW1 not route the workstation's ping out the ppp interface? Is this a major bug or something conceptual I'm missing here?

The route to 172.31.240.1 clearly exists in FW1's routing table, yet FW1 is not sending the packets to ppp interface if the come from the left LAN. Ideas?