I've upgraded from Debian Woody to Sarge and now am using a 2.6.8 kernel with Openswan and Shorewall. The VPN tunnel works great for all other traffic except ftp. I keep getting this message below. kernel: FTP_NAT: partial packet 2087393185/21 in 787/863 kernel: FTP_NAT: partial packet 2087393185/21 in 788/844 kernel: FTP_NAT: partial packet 2087393185/21 in 789/849 kernel: FTP_NAT: partial packet 2087393185/21 in 790/838 I have both ip_ftp_nat and ip_connectrack_ftp loaded. I am using one-to-one NAT (same as before) to translate the foreign network to a local ip address. I can log into the ftp server but when I try to list the directory it fails in either active or passive modes. The last communication with the ftp server requests the active ports to use. I've seen two links on the web, one that says that their is a conflict between IPSEC and iptables. The other that had a firewall rule on the other end of the tunnel that was preventing the connection. http://lists.shorewall.net/pipermail/shorewall-users/2004-June/012969.html http://msgs.securepoint.com/cgi-bin/get/netfilter-0506/123.html Anyone dealt with anything like this? -- Jeff Rasmussen GPG public key 0x9686C12F