eventually sussed it. there was a routing rule to force voip traffic generally out over WAN2. I have now amended that so that only VOIP traffic destined for the Voip provider gets routed that way and so now a ping works from the far end. thank you so much for your help, I have leant much and am pleased to have sorted this after many hours!

One other question though if I may Hornbyp. All my dial in VPN users show as green under connection amnagement (date encrypted) but this Lan to Lan shows black (data is not encrypted). Is this normal and how would I get it to go green i.e. how would i ensure the data on the L2L VPN is encrypted?

many thanks again

sorted - changed t 3DES and all good.

steve1984 wrote:
sorted - changed to 3DES and all good.

Ah - I assumed it was an incompatibility between the two routers, but couldn't quite figure it out...

The 2860 can use more 'complex keys options' (i.e. in the IKE phase 2 proposal list, there are options that the 2850 can't manage). But - since the 2850 initiates the link, this wouldn't apply (everything the 2850 might use, is supported by the 2860)

I'm guessing, that in the 'Dial-out Settings', you had "IPsec Security Method" set to "Medium (AH)" ? ...

I don't know what "AH" is intended for, nor why it is the default, but the result is an unencrypted link

You shouldn't have to 'drop' as far as "3DES"..."AES with Authentication" should work.