@Vento 

Hi,

What technology of VPN are you using for that? WIreGuard? OpenVPN? IPsec? L2TP?

Could you paste some screenshots of your VPN's configuration for both - Main and Branch offices (blur any sensitive data ofc)?

Cheers :)

Hi @Vento 

Thanks for posting in our business forum.

Like Raru wrote.

Not able to judge what might be wrong. Site-to-Site is a typical use case and it worked as we have tested on all models.

Suspect your config.

First of all thank you everybody for looking into this.

Here some clarification and the requested config screenshots.

I am using Site-To-Site VPN in "Manual IPsec" Mode.

First of all I would like to clarify:

The tunnel shows up under "Insights" -> "VPN Status" as connected, in both directions (in/out), on both gateways. See screenshots below.

Whenever I change Remote Gateway IP, PSK, or LocalID/RemoteID to anything wrong/silly, the tunnel status goes away under "Insights" -> "VPN Status". As expected.

Whenever I change the settings back to what I have now (see screenshots below), the tunnel comes back as connected. As expected.

--> my conclusion: It's probably not the VPN Policy Settings, but probably a routing issue. I hope I am wrong! :-)

However, even when the tunnel shows "VPN Status" as connected, no traffic seems to be routed through the VPN tunnel.

I have tried ICMP/Ping, TCP/HTTP(80), TCP/SSH(22) and others.

Here the "Insights" -> "VPN Status" from both sides:

"Main Office" gateway:

"New Branch" gateway:

And here are the VPN Settings:

"Main Office" gateway:

"New Branch" gateway:

Any hints greatly appreciated!

  @Vento 

1. Do your TP-Link routers have Public IP? Or those are behing a NAT (ISP's device with public IP)?

2. Can you also show routing table?

3. Do you have any ACLs configured on those Gateways? If yes, can you share those as well?

  @RaRu Thanks!

> 1. Do your TP-Link routers have Public IP? Or those are behing a NAT (ISP's device with public IP)?

Yes, both sides are NOT behind any NAT, and they DO have fixed static global IPs.

> 2. Can you also show routing table?

No static routes have been defined.

The 'actual' routing table (under "Insights"->"Routing Table") shows no mention of any subnet on the "other side".

Do I need to set static routes manually, maybe? I have played around with this, but with no luck so far.

> 3. Do you have any ACLs configured on those Gateways? If yes, can you share those as well?

No ACLs in use.

  @Vento 

I don't see any issue here...

I'm just trying to compare that with my IPsec config which is working...

Can you try to change (in both configurations) the Local Networks setting, from Network to Custom IP - and provide there your local Network address and Mask? Just for testing.

Then disable the server and after few seconds enable it again. Test the ping after that.

BTW. Are you able to test the PING directly from controller (Tools tab)? Does the ping from there work (to ping opposite Gateway)?

  @RaRu thanks again...

> I don't see any issue here...

> I'm just trying to compare that with my IPsec config which is working...

What is most puzzling to me: the tunnel shows as "connected" under "Insights"->"VPN Status"!

So I suspect the gateway WAN IP's are correct, NAT is not an issue, and so on... the VPN handshake is successful! The tunnel is UP!

> Can you try to change (in both configurations) the Local Networks setting, from Network to Custom IP - and provide there your local Network address and Mask? Just for testing.

> Then disable the server and after few seconds enable it again. Test the ping after that.

Just tried that. Nothing changed.

> BTW. Are you able to test the PING directly from controller (Tools tab)? Does the ping from there work (to ping opposite Gateway)?

I have tried everything that came to my mind:

 - Tried using commandline ping from devices (Win/Linux) in either local network (luckily I have TeamViewer access as a temporary hotfix at the moment to do this...). I can ping devices and the local gateway fine in either subnet, but NOT accross subnets --> no routing seems to take place. Also tried traffic other than ICMP/ping: HTTP(80), SSH(22), with no luck.

 - Tried using PING directly from controller (Tools tab), tried using LAN and WAN interfaces there --> no success. Same as above: Can ping stuff in the local subnet (and also on the big global worldwide net...), but not in the "other" subnet. Not even the LAN IP of the "other" gateway.

  @Vento 

Hmmm, out of curiosity... Can you try to disable Block WAN ping option as well as enable Broadcast Ping?

(Yes, I know that you were also trying to SSH and other thing except the ping. Just for science!)

  @Vento 

I just recreated the same setting you have in your IPsec and it totally worked for me, right out of the box. No ACLs, no additional routing...

But I do have those ping options allowed.

  @Vento 

Last time I had an issue with VPN config (OpenVPN client couldn't connect to the server) I just decided to delete the OVPN server config, reboot the device and create totally new OVPN server. 

Then it started to work. 

I know it's not a solution but maybe there's something in routers memory/config that's making a problem. Maybe it would be a good idea to start again from the very beginning.