Greetings all,
Been banging the head against the wall for a few days now which is fine as I've managed to learn a few new things.
Still have one problem that I could use a nudge in the right direction on. I suspect it's something obvious but the brain is probably missing it.
Outline:
1) Typical office LAN with MT 3011 gateway. 192.168.150.0 on inside, static public IP on outside. 3011 gateway carries an existing site to site VPN that works fine to remote facility. Router internal IP is 192.168.150.1 and serves as default gateway for everything on internal LAN.
2) Added 2nd MT 3011 strictly for road warriors to do an IKEV2/IPSEC with certificates setup. Router internal IP is 192.168.150.2
3) Certificates are setup and working fine. I am able to connect with an office laptop from an outside public IP, be authenticated on the VPN router, that part is cool. Remote IP pool via VPN router is 192.168.230.x and remote connections get an IP assigned from this pool just fine.
4) Office GW router has a static route to router #2 (VPN router) for the VPN subnet (192.168.230.x).
5) I can ping from office PCs to the remote laptop just fine.
6) I can ping from the remote laptop to the VPN router IP just fine (192.168.230.1).
7) I CANNOT ping from remote laptop to office LAN host IPs. Example is LAN Windows host PC 192.168.150.79.
8) I CAN ping from LAN PC to remote LT, cannot do the reverse.
9) If I add a MANUAL route on the Office Windows PC that points the VPN pool subnet (192.168.230.x) to the VPN router (192.168.150.2), I CAN ping from the remote laptop into the office PC without any problems. If I REMOVE the static route, I cannot ping from the remote laptop to the internal PC.
Experimentation with various firewall rules confirms that my packets are getting sent from the remote IP pool (230.x) into the local pool (150.x) just fine, but my replies are getting "lost", even though the office GW router has a static route to the VPN pool.
Adding to the confusion is that if I ping from Office LAN PCs to the remote Laptop, the pings work just fine, so it's not a remote Laptop firewall problem.
Any suggestions?
Cheers,
Rob