I have 5 local addresses NAT'ed to public IPs . A LAN-to-LAN VPN connects 2 branch offices to each other and head office using 2860n's at Head Office and Branch A and 2820nP in Branch B.

Originally, the LAN used L2TP with IPsec policy and I could SSH to the public servers from the branch offices but on upgrading to IPsec Tunnel I am unable to do this and must use the public addresses. The triangle topology was to provide an alternative route in the event of a failure. That is not possible now.

Is this a limitation of IPsec or is it a configuration issue?

Sounds to me like a Routing configuration issue - though it could conceivably be a DNS problem ... you've not really detailed the nature of the failure. (Ping, Traceroute and nslookup are the tools to use)

Out of curiosity, why is swap from L2TP/IPSec to just IPSec seen as an 'upgrade' ?

Originally a BranchA had an tp-link box that didn't support IPsec. That died and I replaced it with a 2860n.
I thought IPsec was better, maybe my ignorance is showing! Do you recommend changing back?

Traceroute

To public server's local ip:
1 7 ms 2 ms 4 ms router201 [192.168.20.1]
2 52 ms 49 ms 48 ms router101 [192.168.10.1]
3 * * * Request timed out.
4 * * * Request timed out.

To any other machine:
1 2 ms 2 ms 2 ms router201 [192.168.20.1]
2 48 ms 49 ms 48 ms router101 [192.168.10.1]
3 51 ms 52 ms 51 ms lima101 [192.168.10.19]

Results are the same using hostname or ip.

sabreur wrote:
I thought IPsec was better, maybe my ignorance is showing!

I can't find any definitive evidence on the web - either way - but I've always been of the opinion that an extra layer of authentication has got to help! . Doubtless, there's a performance overhead though.

Traceroute etc

I started to think about this - and realised such a topology is actually quite involved. I can think of lots of issues, gotchas and different ways of doing it - so maybe backtrack a bit...

You said it worked before, so did you just change the 'type' of VPN in an existing LAN-to-LAN profile, or did you set up a new ones? Could you have missed something - especially from the "more" option.

Likewise, are you sure you've emulated whatever was on the TP-Link?

It strikes me, that for this to work properly, some kind of Routing topology information has to be exchanged between nodes (RIP/OSPF/BGP etc). See: Draytek's words of wisdom on the matter

I don't think triangulation of a VPN necessarily gives you much practical benefit. As in, if a link goes down, it's because of loss of internet connectivity (at one end or the other) - so your alternate route is lost at the same time.

Also, who dials who? Do each of the three nodes initiate (dial-out) to the other two?