On 11/4/10 3:39 AM, Bart Schaefer wrote: > On Wed, Nov 3, 2010 at 7:05 PM, Les Mikesell<lesmikesell at gmail.com> wrote: >> You probably are forwarding packets to the other end of the vpn. Does whatever >> is on the other end have a route back to your 192.168.144.x range through that >> end of the vpn? > > Ah, that may indeed be the problem. I'm a bit rusty with this stuff. > The CentOS box is doing IP forwarding, but that doesn't mean that it's > actually acting as a NAT? No, NAT is something you do in iptables, and if you have done it, the setup is likely to be interface-specific. > On the far end, 192.168.144.0/255 would > just use the default route, which is to the gateway for the network to > which the VPN is connected. There's no explicit route for my LAN > range. Quick check is a traceroute from the remote server to a 192.168.144.x address. If it doesn't go into the tunnel interface you need to add a route for the range via the remote tunnel ip. >> Connections from the server itself will source from the tunnel >> address, not the LAN. > > Well, yeah, that part I expected. I was presuming the return packets > would go back to the tunnel address, which would send them to my > server, which would then NAT them back to the original LAN source; but > maybe that translation isn't happening where I thought it was. No, you can NAT at the tun interface but then the connections only work in one direction. Normally for LAN-LAN connections you want to maintain and route the private ranges and only NAT at the internet gateways. -- Les Mikesell lesmikesell at gmail.com