I want to connect two branch offices with an ipsec tunnel througt internet. In both branches, i have an ubuntu server with 2 nics. One nic is connected to internet with a static public ip an the other is connected to branch office lan. Both ubuntu server gateways uses shorewall for firewall config. One is 8.04 and other is 7.10
I have configured ipsec-tools, racoon and shorewall with the document http://www.shorewall.net/3.0/IPSEC-2.6.html
Mi scenario is:
Network A:
Private net 172.25.11.0/24
Net A gateway 172.25.11.201
Public internet IP: xxx.xxx.xxx.xxx

Network B:
Private net 192.168.0.0/24
Net B Gateway 192.168.0.2
Public internet IP: yyy.yyy.yyy.yyy

The problem is: The ipsec connection is working and i can ping from any machine in net a the net b gateway and vice-versa, but i cant reach any other ip in the remote private net. From one network, i can access the other branch office server but all other devices connected to that network are unreachable.

My config files are:

Side A:

/etc/ipsec-tools.conf
flush;
spdflush;
spdadd 192.168.0.0/24 172.25.11.0/24 any -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd 192.168.0.0/24 xxx.xxx.xxx.xxx/32 any -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd yyy.yyy.yyy.yyy/32 xxx.xxx.xxx.xxx/32 any -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd yyy.yyy.yyy.yyy/32 172.25.11.0/24 any -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd 172.25.11.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd 172.25.11.0/24 yyy.yyy.yyy.yyy/32 any -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd xxx.xxx.xxx.xxx/32 192.168.0.0/24 any -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy/32 any -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;

/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;

listen
{
isakmp xxx.xxx.xxx.xxx;
strict_address;
}
remote yyy.yyy.yyy.yyy
{
exchange_mode main;
send_cr off;
send_cert off;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address 172.25.11.0/24 any address 192.168.0.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address xxx.xxx.xxx.xxx/32 any address 192.168.0.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address xxx.xxx.xxx.xxx/32 any address yyy.yyy.yyy.yyy/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address 172.25.11.0/24 any address yyy.yyy.yyy.yyy/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}


Side B:

/etc/ipsec-tools.conf
flush;
spdflush;
spdadd 192.168.0.0/24 172.25.11.0/24 any -P out ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd 192.168.0.0/24 xxx.xxx.xxx.xxx/32 any -P out ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd yyy.yyy.yyy.yyy/32 xxx.xxx.xxx.xxx/32 any -P out ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd yyy.yyy.yyy.yyy/32 172.25.11.0/24 any -P out ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd 172.25.11.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd 172.25.11.0/24 yyy.yyy.yyy.yyy/32 any -P in ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd xxx.xxx.xxx.xxx/32 192.168.0.0/24 any -P in ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
spdadd xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy/32 any -P in ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;


/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;

listen
{
isakmp yyy.yyy.yyy.yyy;
strict_address;
}

remote xxx.xxx.xxx.xxx
{
exchange_mode main;
send_cr off;
send_cert off;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.0.0/24 any address 172.25.11.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address yyy.yyy.yyy.yyy/32 any address 172.25.11.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address yyy.yyy.yyy.yyy/32 any address xxx.xxx.xxx.xxx/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

sainfo address 192.168.0.0/24 any address xxx.xxx.xxx.xxx/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}