the two ends of the tunnel need to be able to see one another under 
normal conditions.  So 10.x.x.x is not accessible to the internet.

Your tunnel should resemble this (using your diagram as a base)

(10.200.0.0/24) <---->  (10.200.0.1)IPSEC-Server(Internet Address) <---- 
IPSEC Tunnel ---->(Internet 
Address)Local-m0n0wall(Local-IP)<--->(Local-IP Range)

Local IP and local IP range are what ever you want that matches the 
"local subnet" type that you set when building the tunnel  E.g. this can 
be an OPT network, the LAN, your wifi, etc.

Some gotchas:
1.) If either end of the tunnel has the same (or can local rout to the 
same) network segment as the other end uses, you may not get your 
packets where you want them.  Either write a NAT rule, or renumber one 
of the networks.
2.) Make sure you have your shared keys correct, if this is a site to 
site (many-many) IPSEC tunnel then you can forego the "pre-shared keys" tab.
3.) Only select the encryption algorithms that will be used on both 
ends.  Adding extra protocols slows down and may cause the tunnel to fail.
4.) If it doesn't work consult the log on the m0n0wall to see why. 
 (Remember Cisco uses a proprietary Auth system and will not work with 
much less then another Cisco firewall.)


You will also need to add a rule on the WAN interface allowing ESP from 
the IP address of the IPSEC-Server in the diagram.



fisch wrote:

>hi,
>I don't understand the ipsec-setup. I have this situation
>I want to connect an opt-network to an external ipsec-Server.
>
>(10.200.0.0/24) <-> ipsec-Server (10.200.0.1) <-> Internet <-> m0n0wall (WAN)
>
>I added a new NIC (OPT4), on that NIC 5 Clients are connected. This
>clients should be part of the external network (10.200.0.0/24) behind the
>ipsec-Server (Win2003Server, I have no admin-rights for that).
>
>How do have to configure the OPT4-Device and ipsec at m0n0wall?
>thanks
>fisch
>  
>