VPN is up but why can't I access the host in the remote network?
Suppose we have two routers connected by an IPsec LAN-to-LAN VPN, the LAN network topology is as follows. However, ig VPN is up, but PC A cannot access PC B, we may check the following.
If the Routing are created correctly on both Vigor Router?
1. In the routing table of Router A, we need to see the route to destination 192.168.11.0/ 255.255.255.0 via VPN.
2. Similarly, on Router B, we need to see the route to destination 192.168.1.0/255.255.255.0 via VPN.
3. If there is no correct routing on the router, please check the TCP/IP Network Settings in the VPN profile.
If Vigor Router is the gateway of the PC?
On a PC that has multiple network interfaces, the packets might have been sent to the interface that is not connected to Vigor Router, and therefore not be able to reach the remote network. We may use command “tracert” to see if the first hop is the IP of Vigor Router, and check if the packets have been sent to the right interface.
If the remote PC allows ping?
Ping (ICMP Echo request) is the simplest way to check if we can access the remote host, however, it is common that the firewall on the PC will block the ping requests, and that might be the reason why we couldn't get ping replies.
If the router has Firewall that blocks the access?
Check if the both routers have Firewall Rules that may block the traffic from or to the remote network. We may also disable Data Filter on both routers for a try.
If the router has Route Policies that might send the traffic to another Interface?
Check Route Policies and Static Routes on the both routers, and see if the router might have sent the traffic to an interface other than the VPN. We may also disable route policy for a try.
If the IP of both Network are the same?
Please note that if the IP of Local Network and Remote VPN Network are the same, both of them should be translated before establishing a VPN. (See the article here for detailed instructions.)
If IPsec AH is in use but either of the router is behind NAT?
Please note that IPsec with AH cannot pass through NAT, so if any of the routers is behind NAT, it is necessary to create the IPsec tunnel with ESP instead.