VPN issue

Hi Guys,

We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?

Regards,

Ajoy
LVL 1
Ajoy RajanManaged Service ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Any logging available?
(IPSEC is two parts: 1= IKE Main phase (key setup), 2nd is Tunnel: QUICK Mode.(real tunnel))

You probably also need to setup routes to the tunnels. (depends on hardware in use though).
JohnBusiness Consultant (Owner)Commented:
For the non-working tunnel, are the subnets different?  You need to do this.

For site to site, make sure MAIN mode is ON  (not Aggressive)
Look at NAT Traversal - It may need to be ON for the non-working tunnel. Try this both ways.
Fred MarshallPrincipalCommented:
Not being able to ping first suggests a routing problem and, perhaps, a Windows firewall problem:

If the VPN devices are separate from the gateway device at each site:
The remote gateway must direct traffic back to it's own local VPN device IP.
If the gateway and the VPN device are the same, then this is generally not necessary as the device "knows" how to route packets internal to itself.
(Not a problem for incoming traffic).

If the gateway and the VPN device are separate and the gateway has something like stateful packet inspection on the LAN side, then this may have to be changed because return packets only go through the gateway and there will be no known "state".

Windows firewall can block PING except on the local subnet.  So the scope for PING or ECHO has to include the remote subnet or at least the pinging computer on that subnet.
Ajoy RajanManaged Service ConsultantAuthor Commented:
The setting in the router was all there. Just that I had to restart the routers. I was able to ping all sites without any issues.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.