On Wed, 2006-11-29 at 16:02 -0500, Jeffrey Ross wrote: > Tom, > > he's using a supernet/CIDR block/classless (or whatever you want to call > it) addressing, his valid range would be from 192.168.128.1 through > 192.168.135.254 so yes his gateway exists on his network. > Hi Jeffrey, Oops! You're right. I thought I saw 255.255.255.248 instead of 255.255.248.0 like he has. Thanks for the correction. :) This problem reminds me of one I had when I upgraded from FC3 to FC5 on one of my linux systems that functions as a VPN router. I preserved all of the settings, but after the upgrade I was getting the same kind of "Destination unreachable" when I tried to configure the VPN. To make a long story short, there were two things wrong. First, I needed to tweak the SELinux settings to allow traffic across the VPN. Second, and this is the one that really threw me for a loop, I needed to adjust the following line in my iptables firewall script from: $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE to: $IPTABLES -A POSTROUTING -t nat -o $EXTIF -s $INTLAN -d \! 192.168.0.0/16 -j MASQUERADE The "-d \! 192.168.0.0/16" was required to keep the VPN packets from being masqueraded to all of the other class C networks with which I have VPN's established. Why it changed from FC3 to FC5 is beyond me, but it took me a while to find out what was really causing the problem. By the way, I noticed you asked him to execute "arp -a" and post the output. For the record, I saw I was getting a lot of "who has..." messages from arp requests that were never being answered when I turned on tcpdump and watched for a while. I'm wondering if Michael is having a similar problem to what I had. If so, he may want to take a look at his SELinux log (if he has it enabled) as well as his iptables rules. Tom