Hi everyone,

If I do any more reading I will develop square eyes.

I have a 2860 (home) and a 2925 (office); each has two LANs.

2860 = dial-in
192.168.11.0/24 <- PCs, server access, Internet, etc.
192.168.12.0/28 <- note, small subnet, inter-servers >
2925 = dial out
192.168.13.0/24 <- PCs, server access, Internet, etc.
192.168.14.0/28 <- note, small subnet, inter-servers >
The idea is the servers are allowed to sync via the small subnets on each router (and between office and home). I need the servers only to access one another. All local traffic (PCs) are to either access the servers or the internet. Locally, everything is working great. Server-server traffic is happening on the smaller (LAN2) subnet, and PC-server or PC-internet traffic is happening on the 'base' LAN1 subnet.

Now comes the problem. I need to establish a server-server link between office and home i.e. 2860:LAN2 <-> 2925:LAN2 (and I specifically do not want a link from 2860:LAN1 <-> 2925:LAN1)

Have set up LAN-LAN VPN using LAN2 addresses, and have, according to the diagnostics, a working link between routers.
Connection management shows VPN as 'up' and diagnostics routing table confirms 'private static' routing through VPN, i.e.:
"IPsec Tunnel | 3DES-SHA1 Auth | xxx.xxx.xxx.xxx via WAN1 | 192.168.12.0/28"
"S~ 192.168.12.0/ 255.255.255.240 via xxx.xxx.xxx.xxx VPN-1"
(the 'home' router has opposite addresses).

According to all the stuff I've read, any activity destined for the "other side" should be routed via the VPN;
i.e. I should have an open data path between 192.168.12.0/28 <-> 192.168.14.0/28.

I don't !!

Using a PC on LAN2 on each router:
I can access home router from office (i.e. dial-in from dial-out)
I can not access office router from home
I can not set up a static route on either router (simply fails and returns to screen as if I did not do anything).
Bi-lateral traffic between the severs (as well as certain admin functions I should be able to access across this VPN) is blocked.

This is driving me demented. Surely the router diagnostics is saying I should be conversing across this VPN as if the two subnets were 'one' ?

What's the magic step I'm missing ? (before I fall deeper into the depressive state this is driving me to).

Marc.

I can't spot exactly what's wrong, but I reckon you're on the right track trying to set up a static route...

...however, you probably need to do this using the "MORE" tab of the LAN-to-LAN entry, or (for more flexibility) in the "Route Policy" settings. (i.e. you tell the router about the other networks that are available via the VPN). It may be that you need to add some firewall rules to stop the unwanted connections that ensue, when it finally bursts into life.

@hornbyp,

Thanks for this.

I've looked at everything, I do honestly think something is wrong (incompatible) inside the firmware of either the 2860 or 2925. Everything is as per Draytek's own instructions and faultfinding guides. As far as I am concerned there should be an open link between the two networks and they should be successfully bridged by the VPN.

Time to give support a hard time, me thinks!