Hi Tom. Sorry to bother you again with this but I don''t want to let this ipsec thing die here... I already read the new ipsec configuration with a tunnel hub and that is what I want to do. Forget the last message, I sent it by mistake. Ok, my final score is to do a complete tunnel hub between 3 networks, but for now, it is ok with only 2. My setup: Host A: Central gateway NET: eth0:200.x.x.1 LOC: dummy0:192.168.200.1/16 Host B: NET: eth1:24.x.x.1 LOC: eth0:192.168.7.0/24 Host C: NET: eth1:24.x.x.2 LOC: eth0:192.168.9.0/24 Before start dumping my configuration files, I must say that the ipsec is working just fine and I can ping from a computer *inside* the host B to the ip address at dummy0 for the host A. HOST A: params: LOC_IF=dummy0 NET_IF=eth0 NET_OPTIONS=blacklist,tcpflags,routefilter,norfc1918,dropunclean VPN_IF=ipsec0 zones: loc Local Local net Net Internet vpn1 VPN1 Remote host 1 interfaces: loc $LOC_IF net $NET_IF - $NET_OPTIONS - $VPN_IF tunnels: ipsec net 24.x.x.1 hosts: vpn1 ipsec0:192.168.7.0/24 policy: vpn1 loc ACCEPT loc vpn1 ACCEPT net all DROP INFO all all REJECT INFO HOST B: params: LOC_IF=eth0 LOC_BCAST=192.168.7.255 LOC_NET=192.168.7.0/24 LOC_OPTIONS=dhcp NET_IF=eth1 NET_OPTIONS=dhcp,routefilter,norfc1918,blacklist,tcpflags,dropunclean VPN_IF=ipsec0 interfaces: net $NET_IF - $NET_OPTIONS loc $LOC_IF $LOC_BCAST $LOC_OPTIONS vpn $VPN_IF tunnels ipsec net 200.x.x.1 hosts: empty policy: loc net ACCEPT fw loc ACCEPT fw net ACCEPT loc vpn ACCEPT vpn loc ACCEPT net all DROP INFO all all REJECT INFO HOST C: Same configuration as host B. Now... with shorewall started I tried to ping to the internal IP at host A from a computer inside the host B. I got a Reply from 192.168.200.1: Destination host unreachable. at the shorewall log at host B I have nothing but at the log from host A, the one who has the destination IP I got a Jun 16 05:20:33 wintermute kernel: Shorewall:all2all:REJECT:IN=ipsec0 OUT= MAC=00:06:29:39:05:7d:00 :d0:d3:3e:56:b8:08:00 SRC=192.168.7.29 DST=192.168.200.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=55407 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45568 Any ideas? -- EOM Saludos/Regards, Jorge Molina. Buenos Aires - Argentina (GMT-3).