RV042 inserting bogus route on VPN gateway

Similar Messages

• Linkysys RV042 QuickVPN to router issues

  Hi
  Any help with this issue is greatly appreciated as I have been stuck on this for acouple of days now, this is my first time posting to a forum... I have setup VPN connections before but only through packages such as openswan & openvpn not through such a device.
  My VPN router is connected directly to an ADSL modem, directly behind the RV042 I have placed my test machine on port 1 both Wan1 & port 1 show as Gree (active).
  Modem...
  DHCP enabled
  local IP: 10.1.1.1
  The VPN has...
  Wan1: 10.1.1.2
  Lan1: 10.222.43.1
  Test machine...
  IP address: 10.222.43.100
  I have been given two Linksys RV042 devices to setup as VPN end point/connections from one LAN to another.
  However before I do this I have been testing the setup of a test machine (Laptop Windows 7 professional & also tried XP professional with exactly the same results) to the VPN router device.I have configured the router with the basic setup as described in the step-by-step guide / pdf and setup a test user & one tunnel I have left every thing as default and only changed what is necessary.
  I have generated a certificate for the server and distributed a client certificate to my client machine and installed in the "C:\Program Files (x86)\Linksys\Linksys VPN Client\" directory (as I understand I can simply download to this location and its installed for the client).
  The above is a run down of the steps listed in the setup guide provided on the CD, every time I try to connect to the server I get the following error message.
  Failed to establish a connection.This could be caused by one of the following:1. Incorrect password.2. No valid IP for the network card.3. Incorrect server address.4. You may need to disable your Windows firewall.5. Local IP address conflicts with the subnet of remote VPN server.
  1. I know my password is correct
  2. I am not sure what "No valid IP for the network card" means though I am able to get access to the internet through the modem on my test laptop and have access to the web interface of the RV042 so I assume that my IP is valid?
  3. I know the server address is correct I have tried both internal address of the RV042 and the wan1 address of the RV042
  4. I get exactly the same error message whether the firewall is turned on or off on either of the XP or 7 machines.
  5. This is the one that I am confused about, there are no machines connected so I am unsure how there could be a conflict. however just to make sure I have changed the IP of the laptop to one outside of the range allocated to the tunnel, and I still get the same error message.
  I have checked the log file of the server "system log" and this is what I get it appears that the server actually accepts the connection from what I can make of this series of messages.
  Jan 22 10:32:04 2010         Connection Accepted         TCP 10.222.43.100:3374->209.46.39.47:443 on ixp1
  Jan 22 10:32:32 2010        Connection Accepted        ICMP type 8 code 0 10.1.1.2->10.1.1.1 on ixp1
  Jan 22 10:33:44 2010         Authentication Success         HTTP Basic authentication succeeded for user: test
  The log file on the local machine however shows that there is an error though it just says "Failed to connect" so  I am very confused about where the issue lies.
  2010/01/22 11:46:13 [STATUS]OS Version: Windows XP
  2010/01/22 11:46:13 [STATUS]Windows Firewall is OFF
  2010/01/22 11:46:13 [STATUS]One network interface detected with IP address 10.222.43.100
  2010/01/22 11:46:13 [STATUS]Connecting...
  2010/01/22 11:46:13 [STATUS]Connecting to remote gateway with IP address: 10.1.1.2
  2010/01/22 11:46:14 [STATUS]Remote gateway was reached by https ...
  2010/01/22 11:46:14 [STATUS]Remote gateway was reached by https ...
  2010/01/22 11:46:14 [WARNING]Failed to connect!
  Thanks for reading and thanks in advance for any help provided.
  JC

  Hi SamirDarji
  Thank you for your reply to my post. This mostly gives me a solution to work with, however I have now been faced with another issue. I am now supposed to synchronize with a ADSL modem / router / vpn / firewall in another location for which is a different brand. From what I can see is that I have the same settings available on both RV042 and the other device. My question is... now I have setup all vpn devices, I am confused about how to connect / test the devices. The two RV042 devices have a test connection button under vpn summary for the tunnel but neither of them appear to connect (it just cycles through and never connects). Initially I thought that the devices may not be able to see each other as the two RV042 devices are behind a firewall / modem however i have put the vpn RV042 routers on the dmz of the test networks behind their gateway modems. The ADSL modem / router / vpn / firewall device on the live network is the gateway as well, this device has the firewall disabled (the firewall job is passed down the chain to a few special purpose firewall devices before the core switches) would this affect the vpn?
  thanks again
  JC

• VPN Gateway with traffic filtering

  I am working in the lab on a small scale setup in which client PC establishes a IPSEC VPN with a Cisco 1921 Router, i have two questions in this regard.
  (1) For Wireless clients PC's, Is using an IPSEC VPN Client the best possible option or should i prefer other options. the wireless clients also use Radius server for authentication.
  (2) i want to ensure that no other traffic can access or pass the LAN interface other than the Client VPN traffic, what do i need to configure on the Router to ensure that no other traffic can pass other than the VPB traffic.

  First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.
  Your questions:
  (1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.
  (2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.

• Cisco 827 with Intel VPN Gateway

  Have a simple question, but I can get to the solution, so I'm posting it here.
  I have one Cisco 827 router and an old Intel 3110 VPN Gateway (and firewall) behind the cisco router. The scenario is this:
  internet <--> Cisco 827 <--> Intel 3310 <--> LAN
  Cisco 827 ethernet ip: 10.0.0.1
  Intel 3110 ethernet 1 (insecure network): 10.0.0.2
  Intel 3110 ethernet 0 (secure network): 192.168.0.250
  lan: 192.168.0.250

  Hi jacampanini,
  Maybe u try and post your question too... ;-)
  Regards,
  Sebastian

• Vpn gateway changed cannot load apps

  how to reset my config on apple server that let me only download from the old vpn gateway
  got now a new vpn gateway the apps did not install or update from the new config
  how to reset?

  Well it means that the account that is set up in iTunes is not the same as the one that bought the apps.
  To correct this in iTunes go to the store menu and select "Authorise This Computer", enter your account details and everything should work now.

• Route based VPN ?

  Hi all,
  Are there any Cisco gears supporting route-based vpn (not GRE over IPSec) ?

  Same problem here. Just works on Snow Leopard. Now I have to use a Windows virtual machine to connect to Linux based PPTP VPN. It is a shame.
  I noticed that I can ping and SSH to the VPN server machine. In my case, the local IP address for that machine is 192.168.41.6. I can ping it and SSH it.
  MacBook-de-Daniel:~ daniel$ ping -c 4 192.168.41.6
  PING 192.168.41.6 (192.168.41.6): 56 data bytes
  64 bytes from 192.168.41.6: icmp_seq=0 ttl=64 time=262.643 ms
  64 bytes from 192.168.41.6: icmp_seq=1 ttl=64 time=320.283 ms
  64 bytes from 192.168.41.6: icmp_seq=2 ttl=64 time=258.763 ms
  64 bytes from 192.168.41.6: icmp_seq=3 ttl=64 time=271.596 ms
  --- 192.168.41.6 ping statistics ---
  4 packets transmitted, 4 packets received, 0.0% packet loss
  round-trip min/avg/max/stddev = 258.763/278.321/320.283/24.670 ms
  However, I am not able to ping or SSH or anything to any IP address in the 192.168.41.0 network (that is the network I am connection to through VPN). This works perfectly on Snow Leopard. For example:
  MacBook-de-Daniel:~ daniel$ ping -c 4 192.168.41.20
  PING 192.168.41.20 (192.168.41.20): 56 data bytes
  Request timeout for icmp_seq 0
  36 bytes from 190.223.188.1: Communication prohibited by filter
  Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
  4  5  00 5400 f68e   0 0000  3d  01 ea46 172.16.7.7  192.168.41.20
  Request timeout for icmp_seq 1
  Request timeout for icmp_seq 2
  --- 192.168.41.20 ping statistics ---
  4 packets transmitted, 0 packets received, 100.0% packet loss
  I don't know how to solve this situation in Lion. It is upsetting. Please Apple, solve it. Or tell us how to solve it. Thanks.

• ASA does not propagate routes to VPN users

  Good afternoon
  I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
  I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
  access-list Inside standard permit 10.1.0.0 255.255.0.0
  access-list Inside standard permit 192.168.15.0 255.255.224.0
  Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
  The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
  Here are my split tunneling settings:
  group-policy DefaultRAGroup attributes
  vpn-idle-timeout 1
  vpn-tunnel-protocol l2tp-ipsec
  pfs disable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  group-policy DfltGrpPolicy attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  Any ideas?
  I apreciate your help
  Best regards

  ajaychauhan
  Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
  ASA Version 8.2(1)
  hostname asa-xxxx
  enable password xxxxxxxxx encrypted
  passwd xxxxxxxxxx encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 197.X.XX.XX 255.255.255.248
  interface GigabitEthernet0/1
  nameif vpncorp
  security-level 50
  ip address 10.X.XX.XX 255.255.255.248
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  duplex full
  nameif mgmt
  security-level 100
  ip address 10.x.xx.xx 255.255.255.240
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name zz.df.es
  access-list Inside standard permit 10.1.0.0 255.255.0.0
  access-list Inside standard permit 192.168.15.0 255.255.224.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 14000
  logging buffered debugging
  logging asdm debugging
  logging facility 21
  logging host mgmt 10.xx.x.x
  logging class auth trap informational
  logging class config trap informational
  logging class ha trap informational
  logging class sys trap informational
  logging class vpdn trap informational
  logging class vpn trap informational
  mtu outside 1500
  mtu vpncorp 1500
  mtu mgmt 1500
  ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
  ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
  ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
  route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
  route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server mgmtt protocol radius
  aaa-server mgmtt (mgmt) host 10.xx.x.xx
  timeout xxx
  key xxxxxxxxxx
  authentication-port xxx
  accounting-port xxxx
  aaa-server mgmtt (mgmt) host 10.xx.xx.xx
  timeout xxx
  key xxxxxx
  authentication-port xxxx
  accounting-port xxxx
  aaa-server Users protocol radius
  accounting-mode simultaneous
  interim-accounting-update
  aaa-server Users (mgmt) host 10.xx.xx.xx
  key xxxxx
  authentication-port xxxx
  accounting-port xxxx
  aaa-server Users-2 protocol radius
  accounting-mode simultaneous
  interim-accounting-update
  aaa-server users-2 (mgmt) host 10.xx.xx.xxx
  key xxxx
  authentication-port xxx
  accounting-port xxxx
  aaa authentication ...
  aaa authentication ...
  aaa authentication ...
  aaa authorization ...
  aaa accounting ...
  aaa accounting ...
  aaa accounting ...
  snmp-server ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec transform-set ...
  crypto ipsec security-association lifetime seconds xxx
  crypto ipsec security-association lifetime kilobytes xxx
  crypto dynamic-map vpn-ra-dyn_map 10 set ...
  crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy ...
  authentication pre-share
  encryption xxx
  hash xxx
  group x
  lifetime xxx
  crypto isakmp policy xxx
  authentication pre-share
  encryption xxx
  hash xxx
  group x
  lifetime xxx
  telnet timeout xxx
  ssh 10.x.x.x 255.255.255.255 mgmt
  ssh timeout x
  ssh version x
  console timeout x
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  vpn-idle-timeout 1
  vpn-tunnel-protocol l2tp-ipsec
  pfs disable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Inside
  default-domain value xx.xx.es
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
  vpn-idle-timeout 1
  split-tunnel-policy tunnelspecified
  username ...
  username ...
  username ...
  tunnel-group DefaultRAGroup general-attributes
  authentication-server-group (outside) Users
  accounting-server-group users
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key xxxxx
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  tunnel-group asa type remote-access
  tunnel-group asa general-attributes
  address-pool VPN-user-pool
  authentication-server-group (outside) test
  accounting-server-group test
  tunnel-group asa ipsec-attributes
  pre-shared-key xxxx
  tunnel-group asa ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group tstvpn type remote-access
  tunnel-group tstvpn general-attributes
  authentication-server-group (outside) users-2
  accounting-server-group users-2
  default-group-policy DefaultRAGroup
  tunnel-group tstvpn ipsec-attributes
  pre-shared-key xxxx
  tunnel-group tstvpn ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum xxxx
  policy-map global_policy
  class inspection_default
    inspect xxxx
    inspect ...
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:xxxxxx
  : end

• My router does vpn passthrough and is set up correctly. Does it also have to host the vpn?

  my router does vpn passthrough and is set up correctly. Does it also have to host the vpn?
  Thanks
  Greg

  Not sure I understand your question or problem, but I'll give it a shot.
  No, you do not have to host the VPN server on your router.  That wouldn't do you any good for working around the limitations of the VZW network anyways since you are still on the same VZW network.  When you setup a VPN you normally want it to be on someone else's network so you can enable things like port forwarding and remote access.
  The VPN Passthrough feature only allows your VPN clients to access VPN servers, its not the same thing as hosting.  If you want your router to auto connect to a VPN server (which is more common) that is something different.  VPN clients connect to VPN servers.  VPN clients are normally installed on your personal devices or your router.  VPN servers are geographically located somewhere else and on someone else's network.

• Cisco UC560 Not Clearing Static Routes When VPN Connections Drop

  We have a Cisco UC560 (UC560-FXO-K9) running "Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M),
  Version 15.1(2)T2, RELEASE SOFTWARE (fc1)"  The issue is when we have end users connecting with the Cisco VPN Client to this device sometimes we are unable to connect to any devices on our LAN or sometimes we can't connect to the LAN on the other end of our site-to-site VPN.  The one symptom I've observed when this happens is that old VPN sessions that have disconnected appear to leave static routes from the user's outside IP at their home to an IP on our LAN to a Virtual-Access interface.  When this starts to happen, I restart the firewall to clear out the stale static routes and the problem is fixed, for a while at least.  Below is the current state where we have the site-to-site VPN connected to our branch office and 2 user's connected with Cisco VPN clients.  Below that is the static route table which has 5 total Virtual-Access interface routes (one is an extra route for a user currently connected so that their outside IP is in the static route table with 2 inside IP's associated.)  Is there a way to fix the cleanup of VPN connections when they terminate?
  #sh crypto isakmp peers
  Peer: <branch office outside IP> Port: 500 Local: <firewall's outside IP>
  Phase1 id: <branch office outside IP>
  Peer: <users's outside IP #1> Port: 50420 Local: <firewall's outside IP>
  Phase1 id: EZVPN_GRP_437
  Peer: <user's outside IP #2> Port: 49345 Local: <firewall's outside IP>
  Phase1 id: EZVPN_GRP_437
  Bugsy#sh ip ro st
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
         + - replicated route, % - next hop override
  Gateway of last resort is <next hop of ISP for firewall> to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via <next hop of ISP for firewall>
        10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
  S        10.0.0.153/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
  S        10.0.0.155/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
  S        10.0.0.156/32 [1/0] via <user's outside IP #2>, Virtual-Access3
  S        10.0.0.158/32 [1/0] via <user's outside IP #1>, Virtual-Access3
  S        10.0.0.159/32 [1/0] via <user's outside IP #2 again>, Virtual-Access2
  S        10.1.10.1/32 is directly connected, Vlan90

  Hi Brian,
  This sounds like you are running into the following known issue:
    CSCtl03682 - EzVPN client: Several RRI routes  pointing to same virtual interface
  which is Dup'd to:
    CSCtf39056 - RRI routes not deleted
  This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher.  The only other way to clean up the stuck routes is to reload the router.
  Thanks,
  Brandon

• Urgent help needed-----Internet Gateway & VPN Gateway---???---

  Hi All,
  First of all apologies as I am new to Cisco.
  I have 2 sites Main site routers 1 is configured for internet having IP address 10.10.10.48. 2nd router is configured for VPN on separate data link configured with bgp protocol having ip address 10.10.10.51. My LAN computers are configured with 10.10.10.48 gateway for internet access.
  DR-Site have 1 router configured for internet having IP 192.168.1.48. 2nd router is configured for VPN on separate data link configured with bgp protocol having ip address 192.168.1.52. My LAN computers are configured with 192.168.1.48 gateway for internet access.
  Problem:-
  if I need to connect with VPN I need to change default gateway from both ends otherwise VPN can not access network's from both ends in this case I loose internet because gateway is not there to service internet.
  How to overcome this problem.
  Thanks

  Have you thought about implementing Policy Based routing to send all Internet traffic to the Internet router, and all other traffic to your VPN router? You will then have to move your client's default gateway to the 3560 by creating a SVI. Then add the routing policy to the SVI. And you would do the same at the DR.

• Need help configuring VPN on RV120W Router (WiTopia VPN)

  Hello Cisco Community,
  I need some help configuring a VPN from WiTopia on my RV120W router. I am trying to make it so that if any device connects to the router it can automatically connect to the VPN from WiTopia.
  Please note that the VPN plan includes PPTP, L2TP, & IPSEC VPN types.
   Is this possible? And if so, how?
  Thanks in advance!

  Hello,
  If WiTopia is providing only client to gateway VPN, where WiTopia is the gateway allowing connections to clients, than you will not be able to configure RV120 to connect to it. RV120 in its VPN configurations cannot be configured to be a client. 
  The only tunnel where can play the role of the connecting part is IPSec gateway to gateway, when in the IKE policy the Direction type is Initiator and the Exchange mode is Aggressive. And you will need to receive all additional configuration parameters from WiTopia -the Encryption, Authentication Algorithm, PFS, SA lifetime and so on. But this means that WiTopia have to provide gateway to gateway VPN connection.
  Regards,
  Kremena

• Router RV042 contra un Router DSL ZTE

  Hola, tengo un DLS Router ZTE que me dejo telefonia ( lo pedi con IP FIJA)y por otro lado tengo un RV042 de Cisco que compramos para hacer balanceo de trafico y VPN.
  Tengo varias dudas para poner en marcha el RV042 y son las siguientes:
  - LA IP publica fija debo configurarla en el ZTE o en el RV042 que va a terminar la VPN contra otro site que tengo?
  - El puerto WAN del RV042 lo debo configurar como PPOE con los datos de telefonica? en este caso no tengo opcion de poner IP por lo cual asumo que me la deberia asigar dinamicamente?
  Por otro lado.. el puerto LAN del ZTE tiene una IP de mi LAN y  al conectarla al puerto WAN de mi  router pierdo conectividad.
  Alguna ayuda con este problema porque de tantas pruebas ya me marie!!
  Adjunto como es el diagrama de red
  Gracias

  One other way to router that phone's traffic via the other site's Internet connect would be to pptp into the site a's router and obtain and IP from there.  Then *all* the traffic will tunnel through to site a.  The problem will probably be finding a pptp client on the phone.
  Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

• Cannot ping pc behind router in vpn connection

  I have set up a vpn tunnel using two wrv200 vpn routers. The lan and wan connection works fine and the tunnel is connected successful between two locations. I can ping the remote wrv200 router from the opposite side. However, I cannot ping remote pcs connected to the router from other side. I can ping the pcs from the router on the same side. Does anyone experience the same problem? Any suggestion or solution to it? Please help!

  windows firewall is disabled on the pcs. I can ping the pcs on the side from the router. If I can ping remote pc from the tunnel, then I shouldn't have any problem with the vpn connection. When I ping remote pc from opposite side through the tunnel, the Request time out message displays. The same to the tracert command.
  routing table of router a
  Destination LAN IP Subnet Mask Gateway Interface
  203.98.129.239 255.255.255.255 0.0.0.0 WAN
  192.168.2.0 255.255.255.0 0.0.0.0 LAN&Wireless
  Default Route (*) 0.0.0.0 203.98.129.239 WAN
  127.0.0.1 0.0.0.0 127.0.0.1 LOOPBACK
  routing table of router b
  203.98.129.226 255.255.255.255 0.0.0.0 WAN
  192.168.0.0 255.255.255.0 0.0.0.0 LAN&Wireless
  Default Route (*) 0.0.0.0 203.98.129.226 WAN
  127.0.0.1 0.0.0.0 127.0.0.1 LOOPBACK

• Cant ping behind cisco router (site2site vpn)

  Dears;
  After configure site to site vpn between cisco router and fortigate firewall,
  site A : 10.0.0.0/24     behind fortigate
  site B: 10.10.10.0/24  behind cisco router
  the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
  my cisco router configuration is
  Current configuration : 2947 bytes
  ! No configuration change since last restart
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  boot-start-marker
  boot-end-marker
  enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
  no aaa new-model
  memory-size iomem 10
  clock timezone cairo 2 0
  crypto pki token default removal timeout 0
  ip source-route
  ip dhcp excluded-address 192.168.16.1
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool GUEST
   network 192.168.16.0 255.255.255.0
   default-router 192.168.16.1
   dns-server 8.8.8.8 8.8.4.4
  ip dhcp pool LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8 8.8.4.4
  ip cef
  controller VDSL 0
  ip ssh version 2
  crypto isakmp policy 10
   encr aes
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key 6 *********** address 4.x.x.x no-xauth
  crypto ipsec transform-set myset esp-aes esp-sha256-hmac
  crypto map kon-map 10 ipsec-isakmp
   set peer 4.x.x.x
   set transform-set myset
   set pfs group5
   match address 105
  interface Ethernet0
   no ip address
   no fair-queue
  interface ATM0
   no ip address
   ip mtu 1452
   ip tcp adjust-mss 1452
   no atm ilmi-keepalive
  interface ATM0.1 point-to-point
   ip flow ingress
   pvc 0/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
  interface FastEthernet0
   switchport mode trunk
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   switchport access vlan 2
   no ip address
  interface FastEthernet3
   no ip address
  interface Vlan1
   ip address 10.10.10.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Vlan2
   ip address 192.168.16.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Dialer1
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 1
   ppp authentication chap pap callin
   ppp chap hostname
   ppp chap password 0
   ppp pap sent-username
   crypto map kon-map
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  access-list 100 permit ip 192.168.16.0 0.0.0.255 any
  access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  banner motd ^C^C
  end
  when ping from cisco router
  konsuler#ping 10.0.0.27 source vlan1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
  Packet sent with a source address of 10.10.10.1
  Success rate is 0 percent (0/5)
  help please

  Thank you karsten
  I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
  -counters in
  # sh crypto ipsec sa
  increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
  r#show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer1
  Uptime: 00:03:12
  Session status: UP-ACTIVE     
  Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.x.x.x
        Desc: (none)
    IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
            Capabilities:(none) connid:2001 lifetime:22:39:59
    IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
          Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407

• Dual-routing messages in gateway/ext-domain

  Here's another question related to our impending rollout of Groupwise to
  our stores...
  Currently, our stores' POS systems receive text messages via the
  mainframe. To allow corporate users with Groupwise to send mail to the
  stores, we set up many years ago an external domain and set up each
  store as an external user in this external domain. Then, using the 4.2
  API gateway, all mail sent to any of these external users is dumped in
  the ATT_OUT and API_OUT folders which is then picked up on a timed
  basis by the mainframe and delivered to the store's POS system.
  Now, using SLES10 and a Linux portal, we are going to give each of the
  stores a REAL groupwise address with a REAL mailbox.
  What I'd like to know is... is it possible to route messages sent to
  the external user back to the new real mailbox while the conversion
  process is taking place. In other words, we've got to convert 1300
  stores and this process will take several months. Thus, we won't be
  able to turn off the api gateway all at once and it will take some time
  for systems and users to start using the new mailboxes.
  So... if an internal groupwise person sent a groupwise message to
  external user 10337.POS (where 10337 is the external user and POS is
  the external domain), could the message still be placed in the
  API_OUT/ATT_OUT folder of the gateway so the mainframe could pick it up
  while simultaneously the message is routed to store10337.PRI_DOMAIN or
  [email protected]?
  Jim
  jgosney

  jgosney,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/