My company has had me move locations off of our old MPLS network in favor of IPSec VPN solutions. I have done 6 locations so far and made fool proof instructions including pictures to ensure accuracy when I ship the devices. My branches use SSG-5's and my corporate office is using a SSG-140. The provided static IP from the ISP worked and my VPN came up without a hitch, then the confusion has set in.. 3 days and counting.
I created my IKE VPN and have connectivity between the two locations. The following pings are successful.
Branch IP Corporate IP
10.10.18.1 (SSG-5) 10.10.23.250 (SSG-140)
Clients can ping each other's routers internal IPs
10.10.18.100 (PC) ---> 10.10.23.50 (NAS)
10.10.18.100 (PC) ---> 10.10.23.60 (PRTG Server)
10.10.18.50 (WiFi) <--- 10.10.23.75 (My PC)
These pings fail: (so do my telnet sessions)
10.10.18.100 (PC) ---> 10.10.23.205 (AIX Server)
10.10.18.100 (PC) <---> 10.10.23.75 (My PC) - Both ways fail.
Sorry writing this with limited time, so end result is a VPN that has been re-built twice since working fine originally. Checking the policies we by default just do an ANY ANY ANY SERVICE ALLOW rule for Trust to Trust, so telnet is not blocked. If I build a custom rule for no timeout and put a log on it I see the request go through and a Juniper error of "CLOSE - Age Out" as reasoning after 20 seconds.
End result, perfectly fine VPN can ping each other's network devices but only seems to be HTTP capable devices, odd. ANY service is allowed, and tracerts show fine tracerts to any of the successful pings above but always fail after hitting the other router's external IP if going to an unreachable host.
If anyone has any ideas at all I would be eternally grateful my pride has made me bang my head on this for three days but enough is enough my company needs this functioning. It's a simple network and the KISS method has worked so far, but this one just has me confused beyond belief.
Thanks in advance.