I have an established site to site VPN over which I cannot ping a remote host, and the remote network cannot ping a host on mine. The log show packets leaving my outer interface but the request times out. The admin of the other network describes the same result. I have a CCR1009 v6.46.6. He has a Paloalto PA3020 running version 9.07. Our host firewalls are not blocking ICMP.
Why can we not ping remote hosts? Thanks.
I believe the only relevant info you need (knowing the vpn is established) is:
add comment="new county policy" dst-address=172.xx.xx.0/24 peer="County Peer" \
proposal="County Proposal" sa-dst-address=161.xx.xx.126 sa-src-address=\
216.xx.xx.94 src-address=192.xx.xx.0/24 tunnel=yes
The first NAT rule in the NAT list
add action=accept chain=srcnat comment="County VPN" dst-address=\
and the route
add distance=1 dst-address=172.xx.xx.0/24 gateway=E2StaffWAN