I gather this is your configuration:
mobile IPsec client -- (10.1.1.201
<http://10.1.1.201>)m0n0wall(192.168.1.1?<http://192.168.1.1?>)
-- LAN
 
without hubs or switches anywhere; please correct me if I'm wrong.

Stupid questions:

   - Have you confirmed that the LAN clients can ping the external 
   client's external IP? 
   - How are you checking whether packets hit the LAN? Are you running a 
   sniffer (something like Ethereal) on the LAN client? 
   - When you hit the m0n0wall's webgui from the WAN interface, are you 
   doing so via an encrypted tunnel to m0n0's internal IP, or over a regular IP 
   connection to the external IP?
    - You showed us the system log; what do the m0n0wall's firewall logs 
   show?
    
-klode

On Mar 29, 2005 1:22 PM, Tony <m0n0wall at switchout dot com> wrote:
> 
> Yes, I've tried that with no luck either.
> 
> Regards,
> Tony
> 
> > Since it is a test on your own switch you can use any real IP address
> > on the WAN without any problems. Have you tried to do that?
> >
> > sai
> >
> > On Tue, 29 Mar 2005 00:17:57 -0800 (PST), Tony <m0n0wall at switchout dot com >
> > wrote:
> >> Hello,
> >>
> >> Following are my IPSEC configs for "Mobile Clients"
> >>
> >> Phase 1 proposal (Authentication)
> >> ---------------------------------
> >> Negotiation Mode = aggressive
> >> My Identifier = My IP address
> >> Encryption algorithm = SHA1
> >> DH Key group = 2
> >>
> >> Phase 2 proposal (SA/Key Exchange)
> >> ----------------------------------
> >> Protocol = ESP
> >> Encryption algorithms = 3DES
> >> Hash algorithms = SHA1
> >> PFS key group = 2
> >>
> >> 10.1.1.200 <http://10.1.1.200> = latop connected to the same switch as 
> m0n0wall's WAN
> >> interface
> >> 10.1.1.201 <http://10.1.1.201> = m0n0wall's WAN interface
> >>
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>