I have 30 odd permanent vpns running pure ipsec over KLIPS, the openswan option erroneously called 2.4 kernel in the shorewall documentation. It still works way better than NETKEY. Switching over to KLIPS from NETKEY after using it for years solved innumerable problems with workstations not staying connected to the samba 3.x domain. I only include this bit of info here to avoid people replying to me with "switch over to NETKEY and come out of the dark ages." It's not going to happen. But now I want to implement l2tp/ipsec and shorewall documentation suffers as regards this configuration and any help would be appreciated. Basically incoming lt2p traffic authenticates fine as regards ipsec, but then there is nothing. dmesg reports martians on interface ipsec0 and xl2tpd never processes the request. my tunnels file includes a reference to l2tp L2TP 0.0.0.0/0 VPN So that VPN is the gateway zone. and I've got the rules set like so. L2TP(REJECT):info SHAW $FW REJECT $FW SHAW udp - 1701 # l2tp over the IPsec VPN ACCEPT VPN $FW udp 1701 As I understand it with KLIPS, you don't declare that the zone is ipsec, because the traffic is delivered unencrypted to the kernel from an 'interface' ipsec0. interfaces declares ipsec+ to be part of the VPN zone, so, per the above rule, the $FW system should accept traffic from VPN on udp 1701 but isn't. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft