I think you just answered your own question ...
> Well, they look like
> route add -net 192.168.1.0/24 gw 10.10.1.1 # gw is IP of cipe-interface
> route add -net 192.168.3.0/24 gw 10.10.3.1 # gw is IP of cipe-interface
> Does that make any difference?
You have no rule for forwarding to 10.10.anything, so its probably
masquerading, and then things work out but not in (dest behind the router).
Why did you set up the CIPE on a different network? My machines run the
same IP for both, again, this simplifies your firewall rules, hence the
ones I gave you, you probably need to add a rule like:
ipchains -A forward -b -s 192.168.0.0/16 -d 10.10.0.0/16 -j ACCEPT
Under your current scheme traffic directed to 10.10.* gets masq'd
I think the firewall code must be looking at where the packet came from
and where it is going on the next hop, not it's final destination. Just
a guess because this does not seem correct to me.
Unless there is something I'm not aware of (and it works for me), I'd
make my internal ethernet address the same as my CIPE one. There are
also advantages there in the event the tunnel is down. Eliminates the
need for dummy interfaces, and simplifies your ruleset.
Keith Smith keith,AT,ksmith,DOT,com
655 W Fremont Dr
Tempe AZ 85282 it's hot