[Users] forwarding between tunnels

Forgive me if this is a dumb question, but here goes:

Three Linux (RH9) boxes, with a router in between two of them (cheesy ASCII diagram to follow shortly). I've got a tunnel running between eth1 on A and eth1 on B that works fine, and a tunnel that running between eth0 on B and eth0 on C that also works fine. Unfortunately, I can't communicate between A and C. Here's the promised cheesy ASCII diagram:

(internal network, including outside world connections) <->
eth0

        Machine A
eth1/ipsec1
<-> Conn 1

router
<-> Conn 1

eth1/ipsec1

        Machine B
eth0/ipsec0
<-> Conn 2

eth0

        Machine C

If Conn2 is down, i.e., unencrypted commo between Machine B and Machine C, I can ping from A to C and back just fine, and it's encrypted between A and B. However, when I bring up Conn 2, I get encrypted commo between B and C, and I continue to get encrypted commo between A and B, but A and C can no longer see each other. Routing is dirt simple, and I think I'm doing it right or I wouldn't be moving the merchandise between the two pairs of neighboring machines.

What I'm looking for is that the encrypted goodies come flying out of the Conn 2 into Machine B,get reencrypted for Conn 1, and then passed along to Machine A. And vice versa. But that doesn't appear to be happening. What am I doing stupid?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Because of the way this network is likely to scale up when it hits the real world, I'm not eager to have connections between Machine A and Machine C, since there could eventually be a boatload of Machine C's hanging off a smaller boatload of Machine B's.

I'm happy to send cuts and pastes from ipsec.conf, route output, barf output, etc, but I thought I'd start with English and see if there's anything obvious that my betters might be able to point out to me. Many thanks for any tips anyone can offer. If you want the gory details posted, let me know.

Oh, yeah, FreeSWAN 2.01, very vanilla connections (RSA in ipsec.secrets), trying to keep the whole thing simple, doncha know. And forwarding is on (and proxy_arp on, and rp_filter off) everywhere. Otherwise the non-encrypted wouldn't work. And static IPs everywhere, hallelujah.

Tim

-- 
Tim Cross
Cinedavis GmbH
Bergstrasse 31
Dresden 01069
+49 (0)351/422 6313
tcross@cinedavis.com

_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr