Hi,

I have setup a site-to-site ipsec VPN between an SG720 (HQ 192.168.0.75/24) and a Draytek 2820n (MDs home 10.90.0.1/24). VPN is up for 4.5hrs fine.

If I ping the draytek from here in the office I can see it fine. I can even access it's UI etc. However if I ping his PC I get nothing. I have remoted onto his PC (via internet, not VPN) and checked his firewall. No issues there.

If I ping my office pc (192.168.0.15) from his draytek (10.90.0.1), it pings fine. If I ping my office pc, from his pc (10.90.0.10) I get nothing. Why can the draytek see my PC, but his PC behind it can't?

This is the first time I have setup a site-to-site. Should I be doing something else to ensure 192.168.0.0/24 can talk to 10.90.0.0/24 ok?

Sounds like you may have a one way only VPN (configuration settings on both or one of the devices set to NAT instead of ROUTE)

Take a look at this thread http://www.forum.draytek.co.uk/viewtopic.php?t=14442

asimm.it wrote: Sounds like you may have a one way only VPN (configuration settings on both or one of the devices set to NAT instead of ROUTE)

Take a look at this thread http://www.forum.draytek.co.uk/viewtopic.php?t=14442

Thanks for your response Lee.

The remote Draytek is setup as "route".

If I run a trace root from my PC here in HQ (192.168.0.210) over the VPN to the MD's PC (10.90.0.10) it stops at his 2820n (10.90.0.1). It would seem traffic is being routed fine out of HQ, it's just not getting passed on by the 2820n.

Code:

C:\>tracert 10.90.0.10 Tracing route to 10.90.0.10 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.0.75 2 385 ms 398 ms 443 ms 10.90.0.1 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * ^C C:\>

is the md's pc ip set dynamically by the 2820n or does he have a static ip assignment on the network.

check your routing table on both routers to see if the other side of the VPN's network is present in the routers routing table.

check the 2820n arp cache and make sure that the md's pc is visible there.

temporarily disable any desktop firewalls (windows firewall, plus there might be another firewall present with an antivirus solution) and re-test.

I note that your ping response times are suffering from latency, is there a considerable distance between the hq & md sites?

I've had to set up static routes on machines that need to back to a remote site.

For example, if the IP address of the router on the HQ LAN is 192.168.0.150, in a cmd prompt on your PC:

route add 10.90.0.0 mask 255.255.255.0 192.168.0.150 /p

This tells your machine that any traffic for the HQ network needs to go back via 192.168.0.150

Hope this helps,
Steve