Hi,
I have what I believe is a routing problem.

First of all, I have a site to site ipsec vpn up and running as follows:

Site 1 Lan subnet: 192.168.x.0/24
Site 2 Lan subnet: 192.168.y.0/24

192.168.x.0/24 <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24

It works.
The vpn setups are to join the 192.168.x.0 network with the 192.168.y.0 
network and vice versa.

Now, I want to introduce another gateway, so that I can monitor and 
control traffic.
I tried this unsuccessfully as follows:

192.168.x.0/24 <-> [(192.168.z.0/24 = eth0) gateway (192.168.z.0/24 = 
eth1)] <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24

The internal Lan of monowall-1 was put on the 192.168.z.0 subnet and the 
monowall-2 ipsec vpn was changed to have the remote subnet be 192.168.z.0.

A static route on monowall-1 was added to use the gateway eth1 IP 
(192.168.z.20) as a gateway to the Site1 Lan subnet traffic 
(192.168.x.0/24).

Once configured, I could log onto a host at site1 and ping through to 
hosts at Site2.
But from site2, I could not ping hosts on the site1 subnet.

I could however ping the new gateway eth1 IP address (192.168.z.20) from 
Site2.
I could also log onto the monowall-1 web interface and ping the Lan 
interface to any host of Site1.

Can anybody suggest what is wrong?

Note: I will be unable to test out any corrective action until some 
weeks in the future as I am dependent on work being done outside of 
normal business hours.
The window for this is on some, but not all Sunday mornings.

Thanks!