NJH wrote: As you have a private IP triggering a VPN initiation, is the remote end set up for VPN passthrough?

BTW, I've no idea how to read the log files so I am only looking for something which catches my eye.

Please can you post your LAN-LAN settings?

sure,

Both Sides are using:

Always On
Preshared Key
ESP
NAT Traversal

Local Gateway:

WAN Interface : WAN3
Security Gateway : 1.1.1.3
3des Md5
next default IP / subnet mask: 192.168.10.0/24
Next hop: default


Remote Gateway[/b]

DHCP-over-IP: OFF
Security Gateway: 1.1.1.1
Network IP /Subnet Mask: 192.168.20/24



Advanced settings:

IKE Phase 1
Mode Main
peer ID: 3 (this is automatically generated)
Key Lifetime:15 minutes
Proposal: 3des-md5-modp768 3des-md5-modp1024 3des-md5-modp1536 3des-md5-modp1024


Ike Phase2(quick mode)

Key Lietime 1140 Minutes
Proposal: 3des-md5 3des 3des-sha1 3des-sha1 3des-sha1
PFS: NO

Dead Peer detection: Disabled



Obviously remote fateway IP's are swaped each side......You need anything else ?

Can you turn off NAT traversal? It is not needed if the routers are directly connected to the internet via a modem or anything which does not perform NAT.

Then can you try setting one end to dial in and the other to dial out. You will not ba able to set "always on" at the dial in end, so at that end use an Idle Timeout of 0.

Rather than use a Peer ID, can you specify the peer IP?

For your ESP what are you using? You seem to prefer 3DES (but AES is as good or better). Are you using Authentication? I would.

Once you get things going, your key lives are very short. The default ones aren't bad. Also you should aim to turn on PFS.

NJH wrote: Can you turn off NAT traversal? It is not needed if the routers are directly connected to the internet via a modem or anything which does not perform NAT.

Then can you try setting one end to dial in and the other to dial out. You will not ba able to set "always on" at the dial in end, so at that end use an Idle Timeout of 0.

Rather than use a Peer ID, can you specify the peer IP?

For your ESP what are you using? You seem to prefer 3DES (but AES is as good or better). Are you using Authentication? I would.

Once you get things going, your key lives are very short. The default ones aren't bad. Also you should aim to turn on PFS.

I will try turning off NAT T, next time I'm in the office.....

One thing I dont get is the NAT thing... to Me NAT is mapping an RFC 1918 non routable Private IP address to a Publicly routable address.

So this is what every router dose otherwise you would not be able to get out onto the internet. So please explain what you mean when you say that the router is not doing nat:

" via a modem or anything which does not perform NAT."

Routers do NAT, but NAT-T is something different. Have a look here .

Normally IPSec is not a NAT friendly protocol in so much as it will not work if there is a device performing NAT between the two IPSec end points. The most common scenario for this is probably a road-warrior connecting to the internet in a hotel or house via a router to an IPSec server directly connected to the internet. In this case the road warrior IPSec will not normally work. In order for it to pass through the NAT device, both end points need to support NAT traversal. If they do support NAT traversal, the IPSec packet is encapsulated in another UDP packet and transmitted (I believe) on port 4500.

In your case, where both endpoints appear to have public IP addresses, I have assumed they are directly connected to the internet (built-in ADSL, ADSL modem and PPPoE, Ethernet to a cable modem or something similar). In this case you do not need NAT-T. I have no idea if disabling it will make any difference but it won't hurt.

What I am trying to do is simplify the connection parameters to get it going. Once it is running, we can then start to add bells and whistles. This is why, for example, I am trying to make one end only initiate the connection.

BTW, where have you put the dial-in PSK's? Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?

Thanks for the advice.

what do u mean by psk?:

" where have you put the dial-in PSK's? "Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?"

ohhh hang on youo mean on the 2820 dont u ?

yes I put psk in the LAN to LAN section, there are 2 places in the lan to lan section to put the psk in right ?

I only have a 2600 and 2900 to play with, but I believe the options on a 2820 series are similar but the menus look different.

In the LAN-LAN profile there are 2 places to put the PSK (pre-shared key) - one for dial in and one for dial out. I don't know if they are allowed to be different. The dial in one here pretty much only works when the remote IP is fixed. If the remote IP is dynamic, it is normally put in the VPN IKE / IPSec General Setup.