Currently Im labing a situtation where I'll need to have branch users route to a vendor through HQ via IPsec tunnels. Users at my banch access can acesss Web/HQ services though the HQ firewall, but when accessing the vendor. Logs show from HQ the attempts to the vendor from the branch office. But nothing but incompletes/aged-out.
From HQ, I do see active connections for phaseII for the branch/vendor connection but of course no encap/decaps.
Also I do have redistrabution profiles for Branch and Vendor connections on the HQ firewall.
Just found this, which Im spot on. I do worry that my vendor side might be incorrect
So found I the problem, or "more of a design issue".
The dynamic vpn setup on my branch side, is the issue to the vendor. I relized that when settting up a direct connection from branch to vendor. The vendor does not support Nat-T!!!! Doh!!!! Which is why I would see the out bound encaps but no decaps back on the HQ side.
Back to the drawing board... Hopefully this stops someone form spinning their wheels
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!