VPN/routing HELP!

Similar Questions

• Remote access VPN routing

  Hello

  I'm having a problem on the VPN routing.

  The VPN client is connected correctly to ASA5510, but cannot access inside ASA and the Internet or another network. What I want to achieve is.

  [email protected] / * / -> ASA5520 (public IP)-> Inside (172.16.1.0)

  The VPN address pool uses 172.168.10.0 (I also tried 172.16.1.100 - 120 with the same network from the inside).

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  IP address a.a.a.a 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  IP 172.16.1.1 255.255.255.0

  IP local pool vpnpool 192.168.10.1 - 192.168.10.254 mask 255.255.255.0

  access extensive list ip 172.16.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  internal VPNstaff group strategy

  attributes of Group Policy VPNstaff

  4.2.2.2 DNS server value

  Protocol-tunnel-VPN IPSec

  type tunnel-group VPNstaff remote access

  attributes global-tunnel-group VPNstaff

  address vpnpool pool

  Group Policy - by default-VPNstaff

  IPSec-attributes tunnel-group VPNstaff

  pre-shared-key *.

  Hello

  A quick test, try this.

  -Turn on nat - t (if its disable)

  Command: crypto isakmp nat-traversal 20

  see if it helps.

  If not,

  -Run a continuous ping from the client to the ASA inside the interface, make sure that you run the command 'management-access to inside' before you start with the ping.

  -Time our RESPONSE ICMP or inside the interface... ?

  If time-out, then

  -Check the number of decrypts using the command "show crypto ipsec his"

  If ICMP response to inside interface is received by the VPN client.

  -Ping to an internal host behind the ASA.

  -"Show crypto ipsec his"

  IF you have received responses if first test then here you should see decrypts number increases.

  -Apply the catches on the inside of the interface

  You can consult the document below

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080a9edd6.shtml

  -If you see the package source as VPN client interface to reach the inside interface for the destination of the host behind the ASA, then its a problem with your routing internal.

  In case you have an L3 device connected to the ASA inside the interface, make sure that you have a route for GW subnet 192.168.1.x as ASA inside the interface i.e. 172.16.1.1 score

  If his L2 or a dumb device, then as a quic test, make the following statement of the road using the command-line in windows on the host computer behind the asa participant in this test.

  route add 192.168.1.0 mask 255.255.255.0 172.16.1.1

  Please let me know if it helps.

  Concerning

  M

• Cisco IOS - access remote VPN - route unwanted problem

  Hello

  I recently ran into a problematic scenario: I am trying to connect to a remote LAN (using a Cisco VPN client on my windows xp machine) my office LAN and access a server there. The problem is that I need a remote local network access at the same time.

  Remote LAN: 172.16.0.0/16

  LAN office: 172.16.45.0/24

  Topology:

  (ME: 172.16.10.138/25) - (several subnets form 172.16.0.0/16) - (Internet cloud) - (VPN-Gateway) - (172.16.45.0/24) - (TARGET: 172.16.45.100)

  To provide access, I configured a VPN to access simple distance on a 1700 series router. It's the relevant part:

  (...)

  crypto ISAKMP client config group group-remote access

  my-key group

  VPN-address-pool

  ACL 100

  IP local pool pool of addresses-vpn - 172.16.55.1 172.16.55.30

  access-list 100 permit ip 172.16.45.100 host 172.16.55.0 0.0.0.31

  (...)

  The configuration works fine, I can access the 172.16.45.100 server every time I need to. However, the problem is that when the VPN connection is connected, Windows wants to somehow rout the packets intended for 172.16.0.0/16 through the VPN tunnel. This is apparently due to a static route that added by the Cisco VPN Client and all other specific VPN routes.

  I suspect that the culprit is the IP LOCAL POOL, since when the VPN is connected, debugging of Client VPN log shows something like "adapter connected, address 172.16.55.1/16. Focus on the part "/ 16". I checked the VPN status page and the only road indicated there was "172.16.45.100 255.255.255.255" under remote routes. Local routes was empty.

  Is this a known problem I missed the obvious solution for? Is there no workaround apart from the pool local vpn penetrating high-end 10.x.x.x or 192.168.x.x? Thank you in advance for advice or tips!

  Hello

  The best way is to avoid any overlap between the local network and VPN pool.

  Try 172.17.0.0/16, is also private IP address space:

  http://en.Wikipedia.org/wiki/Private_network

  Please rate if this helped.

  Kind regards

  Daniel

• VPN router to router with overlapping of internal networks

  Hello Experts,

  A small question. How to configure a VPN router to router with overlap in internal networks?

  Two of my internal networks have ip address 192.168.10.0 and 192.168.10.0

  No link or config will be appreciated. I searched but no luck.

  Thank you

  Randall

  Randall,

  Please see the below URL for the configuration details:

  Configure an IPSec Tunnel between routers with duplicate LAN subnets

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

  Let me know if it helps.

  Kind regards

  Arul

  * Please note all useful messages *.

• Tips to add a VPN router to my current network configuration

  Dear all

  My apologies if the answer to this question already exists, however, I searched in many situations and none seem to match what I'm after.

  I currently have an ISP modem/router in Bridge mode connected to a TC of Apple which is my wireless router, I have 2 Express airport connected to this acting as the extensors of the range.  I have a VPN service through the MyPrivate network I activate on the desired device when required and everything works fine.

  What I want to do now is to be able to use my AppleTV and burning Amazon via the VPN as well so you need to add a VPN router in the configuration.  I want to finish with 2 wireless networks running together for these devices who need VPN and those who are not.  I don't want to lose the opportunity to extend the network to express it however airport.

  If someone could explain to me if this is possible and if so how do I set up the network.

  Thanks in advance

  Mark

  Basically you would need a device that supports VPN-passthrough and VLANS for your goals of networking. MyPrivate network, seems to be a VPN SSL, which is a user-server configuration. In other words, you install a client VPN on your Mac and you connect to the VPN network MyPrivate server to establish a VPN tunnel.

  Networking two or more "separated", should be using a router that supports VLAN services. Each segment of VIRTUAL local area network, in essence, would be a separate, she either wired or wireless network or a combination of both. This would probably be the 'easiest' part for the installation program.

  Now how combining the two would be the question, and I don't know what would be the best way, or even if it is possible.

  A few thoughts:

  • Use a router that supports VLANS. Create at least two VIRTUAL LAN segments. One for Apple TV & Burns, one for Internet access in general. Connect the device to VPN client host on the first segment, and configure for Internet sharing.
  • Download a dedicated VPN network application that supports hosting of third-party VPN clients, like yours. You would still need a router that supports VLAN to provided separate network segments.
  • Hire a consultant network. Let them know what you the goals of networking and ask them to offer potential solutions.

• QuickVPN - could not do a ping the remote VPN router!

  Hello

  I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.

  Here is the Log of the QuickVPN client.

  2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
  2008-10-15 20:14:38 [STATUS] connection...
  2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
  2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
  2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
  2008-10-15 20:14:44 [STATUS] commissioning...
  2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
  2008-10-15 20:14:51 [STATUS] verification of network...
  2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
  2008-10-15 20:15:19 [STATUS] disconnection...
  2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.

  I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.

  There is a way to disable the Ping process and continue with the VPN connection?

  QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.

  Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.

  You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.

  What is the router that is connected to the computer? How is it that is configured?

• Best Soho - Split Tunnel VPN router

  Hi - I'm looking for some advice for a soho router.

  Basically the main feature, I'm looking for is to run, which I think is a VPN split tunnel, so that all internal clients route default traffic out to the gateway of the ISP. However, if the traffic is destined for a list of several specific subnets (x.x.x.x/24, y.y.y.y/24 etc.), then it should establish a tunnel to an only PPTP/IPSEC host and route remote traffic for these subnets via the tunnel.   To be clear, that these subnets (x.x.x.x and y.y.y.y) is not attached to the end of the tunnel - which is a gateway device that will route them further.

  I've been watching the various VPN router offers and is not clear to me if I can do it with a RV - 042, BEFVP41 or something like the other thing SRP521W I must be able to manipulate the routing tables directly on.

  As an additional note, I have complete control over the end of SOHO - but simply an account at the end of the tunnel with (it is a service provider).  The idea is to use public services for 90% of the traffic, but if customers want to access a specific set of addresses, it will forward this specific traffic through the tunnel.

  Thanks in advance...

  On current view, do not touch the RPS with a bargepole.

  Adding access to additional subnets through a VPN tunnel is pretty standard, routing will be automatic if the VPN was established, but you must ensure that

  1. politics VPN at BOTH ENDS allows your local subnet to access these networks

  2. your subnet is not incompatible with other subnets or roads that can be used on remote networks

  3. assuming you're OK so far, remote subnets must have a route is added to the default gateway to point to your subnet via intermediate networks

  Good luck!

• Help to activate SSL VPN router Cisco 1941

  Hello.

  I have a router Cisco 1941 and want to activate my SSL VPN license on it. How can I go about it?

  Best regards Tommy Svensson

  Hi Tommy,.

  Please try and download the PDF of the same link.

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this message as answered if you feel that your request is answered. Note the useful messages.

• Need help with native VPN client for Mac to the Configuration of the VPN router RV082

  Guys,

  I am trying to set up router RV082 VPN Client with native Mac for my remote access. However, no matter what I did, I'm not able to make works. Can any give me an example of how to set my router RV082 and Mac Book Pro (Mountain Lion)?

  Thank you

  Hi Jixian, the native client MAC does not work. The IPSEC VPN client is the same as the 5.x Cisco VPN client is not supported on this device.

  Your alternatives are to use PPTP or a 3rd party IPsec client such as ipsecuritas.

  -Tom
  Please evaluate the useful messages

• For three buildings with VPN routing tables

  Can someone tell me how to configure routing for the following tables

  I have three location.  All three have a static public IP address

  I need to have a VPN to each location at each location

  A = 192.168.0.x

  B = 192.168.1.x

  C = 192.168.2.x

  There are virtual private networks

  A to B and a-C

  B to A and B to C

  C to A and C of the B

  So what I need to know, is what are the internal traffic routing tables remains in the VPN and external traffic is routed on the local connection.  I don't want a situation where site A sends internet traffic on to B and then to the world.

  Thanks for the help

  Basically, the IP address assigned on the security group Local and remote security group who are the only traffic that stays on the VPN.

• Cisco VPN router VPN client commercial provider

  Hello

  IM new Cisco VPN technology so please forgive my ignorance.

  I am trying to connect my router to a comercial that support IPSec VPN provider gave me only that here the server ip, user name and password Secret.

  With this information, that I can, for example, to connect with an iPhone using the monofamille in Cisco's VPN IPSec.

  My question is how I put this up directly on a cisco router, or using CCP or config?

  Thanks in advance for all the help/pointers

  with the info given, there are the following config:

  Crypto ipsec VPN ezvpn client
  connect auto
  Astrill key way2stars group
  client mode
  Peer 1.2.3.4
  Astrill-email Astrill-password username password

  Sent by Cisco Support technique iPad App

• ASA - create a backup via VPN route

  I have a normal life (non - VPN) connection point to point between 2 x ASAs and I would like to create a link of relief using a VPN on our corporate network cloud. I tried to do, following configs example Cisco but the VPN is not upward when the route taken breaks down.

  NB. This isn't a default route, just a road to one 27.

  Here's the configs of sla/track (I'm confident with the VPN configuration, why have not included here):

  FW1

  Route between sites 192.168.61.0 255.255.255.224 10.20.30.3 1 track 1
  Route corp-outside 0.0.0.0 0.0.0.0 10.92.215.225 1
  Route 192.168.61.0 255.255.255.224 corp-outdoor 10.92.215.225 100

  monitor SLA 100
  site type echo protocol ipIcmpEcho 10.20.30.3 inter interface
  NUM-package of 3
  frequency 10

  monitor als 100 calendar life never start-time now

  track 1 rtr 100 accessibility

  FW2

  Route between sites 192.168.60.0 255.255.255.224 10.20.30.1 1 track 1
  Route corp-outside 0.0.0.0 0.0.0.0 10.72.215.225 1
  Route 192.168.60.0 255.255.255.224 corp-outdoor 10.72.215.225 100

  monitor SLA 100
  site type echo protocol ipIcmpEcho 10.20.30.1 inter interface
  NUM-package of 3
  frequency 10

  monitor als 100 calendar life never start-time now

  track 1 rtr 100 accessibility

  When I stop one side track interface, the route taken is removed from the routing table and replaced by the backup through the interface corp-outdoor path.

  However, the VPN is not running and I see a lot of:

  Could not locate the next hop for prod-inside:192.168.61.8/51583 to inter-site:192.168.60.5/11322 routing TCP

  .. .errors in the newspapers. You can see that packets are still trying to be sent to the interface between the sites , which is no longer in the routing table.

  Any help appreciated

  Hello Handsy,

  Simply by curiosity, asuming that you are pointing to the internet to a public IP address, traffic from when creating the exemption nat for the site to the site you use the command "route search"?

  Example for nat exemption:

  NAT (inside, outside) static source local-Lan Lan Local static destination remote control Remote-Lan Lan non-proxy-arp-search to itinerary.

  The route search command should make the package to look first in the routing table before performing the nat and therefore to follow the correct path.

  If you can run a command Packet-trace to check the path followed by the traffic while testing the option from site to site.

  for icmp:

  Packet-trace entry icmp 8 0 detailed

  for tcp (based on your timeline):

  Packet-trace entry tcp 192.168.61.8 51583 192.168.60.5 11322 detailed

  Kind regards

  Miguel

• WAN with 3 routers RV320 and client VPN routing

  We have 3 locations with routers RV320 - WAN1/LAN1-192.168.10.0, WAN2/LAN2-192.168.20.0, WAN3/LAN3-192.168.30.0. Locations are connected via VPN and users in each office can be connected to others.
  I connect to the Home Office with Cisco VPN Client. When I connect via VPN to the office '1' and then I get the 192.168.12.0 network address and I can ping network 192.168.10.0 and connect to servers on the network. Unfortunately I can not connect to other networks (from offices '2' and '3'). What should I set on routers? Static routes? How?

  Thanks in advance

  Adam

  Hello Adam,.

  Looks like you have the Cisco VPN Client configured in shared tunnel mode.  In this mode the traffic associated with the specific network specified in the configuration of the tunnel will be sent through the tunnel, all the rest just use your normal internet connection.  However, you can change this in the configuration of 320 to a full tunnel. All your traffic will then be sent through the tunnel, and the RV should just drive through the tunnel from site to site, suitable for any office network you want to reach.

  Note, however, that this will send all your traffic, including any web browsing and nothing else happening on your PC, through the connection of the VPN Client.  This isn't necessarily a bad thing, I just wanted you to be aware of it.

  Hope that helps and thanks for using Cisco,

  Christopher Ebert - Advanced Network Support Engineer

  Cisco Small Business Support Center

  * Please note the useful messages *.

• Client VPN routing issue

  I am trying to configure client vpn software ver 5.0 for remote to connect to the local network behind a 1801 users.

  I can get the client saying its connected but traffic is not circulate outside in:

  When I try to ping an address 192.168.2.x behind the 1801 I get a response from the public ip address but then when I try to ping to another address I have no answer.

  I guess the question is associated with NAT.

  Here is my config, your help is apprecited

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  host name C#.

  !

  boot-start-marker

  boot-end-marker

  !

  enable password 7 #.

  !

  AAA new-model

  !

  AAA authentication login userauthen local

  AAA authorization groupauthor LAN

  !

  AAA - the id of the joint session

  !

  IP cef

  !

  IP domain name # .local

  property intellectual auth-proxy max-nodata-& 3

  property intellectual admission max-nodata-& 3

  !

  Authenticated MultiLink bundle-name Panel

  !

  username password admin privilege 15 7 #.

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group 1801Client

  key ##############

  DNS 192.168.2.251

  win 192.168.2.251

  field # .local

  pool VpnPool

  ACL 121

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap throwing crypto

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  !

  Archives

  The config log

  hidekeys

  !

  property intellectual ssh time 60

  property intellectual ssh authentication-2 retries

  !

  interface FastEthernet0

  address IP 87. #. #. # 255.255.255.252

  IP access-group 113 to

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet1

  interface FastEthernet8

  !

  ATM0 interface

  no ip address

  Shutdown

  No atm ilmi-keepalive

  DSL-automatic operation mode

  !

  interface Vlan1

  IP 192.168.2.245 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  !

  IP pool local VpnPool 192.168.3.200 192.168.3.210

  no ip forward-Protocol nd

  IP route 0.0.0.0 0.0.0.0 87. #. #. #

  !

  !

  no ip address of the http server

  no ip http secure server

  the IP nat inside source 1 interface FastEthernet0 overload list

  IP nat inside source static tcp 192.168.2.251 25 87. #. #. # 25 expandable

  Several similar to the threshold with different ports

  !

  access-list 1 permit 192.168.2.0 0.0.0.255

  access-list 113 allow host tcp 82. #. #. # host 87. #. #. # eq 22

  access-list 113 permit tcp 84. #. #. # 0.0.0.3 host 87. #. #. # eq 22

  access-list 113 allow host tcp 79. #. #. # host 87. #. #. # eq 22

  access-list 113 tcp refuse any any eq 22

  access-list 113 allow host tcp 82. #. #. # host 87. #. #. # eq telnet

  access-list 113 permit tcp 84. #. #. # 0.0.0.3 host 87. #. #. # eq telnet

  access-list 113 allow host tcp 79. #. #. # host 87. #. #. # eq telnet

  access-list 113 tcp refuse any any eq telnet

  113 ip access list allow a whole

  access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

  access-list 121 allow ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

  !

  control plan

  !

  Line con 0

  line to 0

  line vty 0 4

  transport input telnet ssh

  !

  end

  you have ruled out the IP address of the customer the NAT pool

  either denying them in access list 1

  or do road map that point to the loopback address as a next hop for any destent package for your pool to avoid nat

  first try to put this article in your access-lst 110

  access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

  access-list 110 permit 192.168.2.0 0.0.0.255 any

  sheep allow 10 route map

  corresponds to the IP 110

  remove your old nat and type following one

  IP nat inside source overload map route interface fastethernet0 sheep

  rate if useful

  and let me know, good luck

• [Solved] RV082 - SRP527W site-to-site VPN - routing table?

  Hello

  I am trying to create a VPN IPSEC link between 2 offices. The VPN connection is created, and I can connect but only one way.

  Customers in the Office B seems to have a routing problem. Can you help me?

  Details :

  Office:

  -Router SRP527W.

  -Network client: 192.168.0.0 / 24

  -Internal address: 192.168.0.254 / 24

  B office:

  -RV082 router (behind another router)

  -Network client: 192.168.6.0 / 24

  -Internal address: 192.168.6.253 / 24

  -Internal address that goes to the Router 1: 192.168.5.253

  internal address of the Router - 1: 192.168.5.254

  Page layout:

  Office---> SRP527W---> INTERNET<----- global="" router=""><------ rv082="">< office="">

  192.168.0.254 192.168.5.254 5,253 6.254

  Details VPN:

  Office:

  -remote type SUBNET = 192.168.6.0 group / 24

  -local group = SUBNET 192.168.0.0/24

  -Address ID = 82.127.XXX.XXX

  B office:

  -remote type = SUBNET 192.168.0.0/24 Group

  -local group = SUBNET 192.168.6.0 / 24

  -IP address = 192.168.5.253 (accessed from the Internet through the 1st router with the IP 37.1.XXX.XXX)

  Facts:

  A desktop, I can ping everything in 6.0 addresses.

  Office B, I cannot ping anything in 0.0 subnet addresses. The router itself with the diagnostic page, works of ping 192.168.0.1? But no other ping. Curious...

  The desktop computer B routing table shows the following:

  Active routes:

  Destination network mask network Adr. Gateway Adr. interface metric

  0.0.0.0 0.0.0.0 192.168.6.253 192.168.6.10 10

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

  192.168.6.0 255.255.255.0 192.168.6.10 192.168.6.10 10

  192.168.6.10 255.255.255.255 127.0.0.1 127.0.0.1 10

  192.168.6.255 255.255.255.255 192.168.6.10 192.168.6.10 10

  224.0.0.0 240.0.0.0 192.168.6.10 192.168.6.10 10

  255.255.255.255 255.255.255.255 192.168.6.10 192.168.6.10 1

  255.255.255.255 255.255.255.255 192.168.6.10 3 1

  255.255.255.255 255.255.255.255 192.168.6.10 1 40005

  Default gateway: 192.168.6.253

  ===========================================================================

  Persistent routes:

  None

  Tracert from computers to Office B shows that the packages have arrived at 192.168.6.253, and then it never achieved anything.

  The problem is related to the architecture of Office B?

  See the files attached to a layout of Office B and the routing of the router table to Office B.

  Thank you.

  Enable NAT - T on the RPS and configure the remote ID as 192.168.5.253 in the IKE policy.

  Not sure about the RV and if supporting NAT - T.  It can automatically detect the NAT - T, or need to be configured (in this case, you configure the local identification)

  Andy.