OK, I'm tearing my hair out here, anyone any idea what's wrong.

I've got a LAN-LAN IPSec VPN using 2 2820's

Site A
local subnet 192.168.1.0/24
2820 connected via WAN1 to BT ADSL line with Static IP

Site B
local subnet 192.168.0.0/24
2820 connected to existing network ( 8 Static IP's ) via WAN2 with spare Public Static IP

The VPN establishes, no problem.

From anywhere on site B local network I can ping anything on site A.
From Site A, I can ping as far as Site B router on 192.168.0.1 but can't ping anything connected to the local network 192.168.0.x.
From Site B router I can ping the local devices on 192.168.0.x

I've checked the routing tables on both 2820's when the VPN's up and they look ok to me.

It just looks like the 2820 that's connected via WAN2 can't route VPN traffic to the local subnet!!

Anyone any clues please?

Check whether the Route/NAT setting under section 4 TCP/IP settings is set to Route, otherwise you'll get a one way only route like you're seeing.

Thanks for the the reply.

Yep, TCP/IP settings both ends are set to Route.
From what I can see it's managing to route 192.168.0.x down the VPN ok from Site A since it can ping the internal IP of the 2820 at Site B ( 192.168.0.1 ) but then it's failing to route other 192.168.0.x addresses out to the Site B lan.

Is there more than one gateway at either end?

I.E. are all the machines you are pinging using the VPN router as their gateway?
If a machine at a far end has a different gateway the ping may get to it but it's reply will have no route back across the VPN.

I.E. are all the machines you are pinging using the VPN router as their gateway?

Thanks for the reply.
Yep, they're all ( well there are only 2 at the moment ) connected directly to the 2820 with it as the default gateway. I did consider that it could be the routing of the reply back through the VPN rather than the ping not getting to them, but that's sort of contradicted by the fact that machines on the 192.168.0.x subnet can ping those on 192.168.1.0 so it must be routing correctly through the VPN under those circumstances. Come to think of it then that also means that the replies are routing correctly back to the 0.x subnet.
This is really strange. :?
I'll maybe have to have a look with Wireshark to see exactly how far the ping's getting when I get back in the office on Tues.

Edit:

Yep, they're all ( well there are only 2 at the moment ) connected directly to the 2820 with it as the default gateway

Actually, thats got me thinking, that might not be true. One of them is using DHCP so that ought to be fine but the other is on a static ip. Its normally connected to an ISDN router ( this VPN is going replace the ISDN link when I get it working ) and will already have 192.168.0.1 as its default gateway ( since thats the internal address of the ISDN router ) BUT its going to need its ARP cache flushed to get the MAC for the 2820 instead of the ISDN router. That could certainly be the problem with one of the machines.

Thanks for that StuC

Further edit: Ok , forget that edit , I can ping both of the 0.x machines from the 'ping diagnostics' on the local ( 192.168.0.1 ) 2820. So they must both be configured ok.

Ha, looks like you'll have thought it out long before I can.

Couple of things I tend to stick to..
Don't use "default type" network addresses like 192.168.0.x because that is the range many items start on, how do you know it is the right 192.168.0.1 that is responding to pings etc. 192.168.xxx.1 is actually quicker to put in to network fields in many cases.
If you can change the ranges to something like 192.168.111.x and 192.168.222.x its easier to know what you are looking at is what you have set up.

Set it up afresh if possible with new IP's (checking nothing locally like a second subnet range on the router is on 192.168.0.1) and "tracert" from each side to check the packets are heading where you'd expect or do some continuous pings to the remote router while you take the VPN up and down just to make sure it follows the VPN link.

Do a "route print" from a workstation on each end and make sure there are no fixed routes left over then add a (temporary) fixed route from one each of the workstations Windows - "route add 192.168.111.0 mask 255.255.255.0 192.168.222.1" etc. If it works then it must be down to routing and my guess it it will be around the router using Wan2 and multiple IP's