This might not be a BM problem at all, but hopefully some kind person
can help.

I'm attempting to connect a LAN to another using a site-to-site VPN. The
remote site has a Zyxel Prestige 662HW router, the other is a Novell
BorderManager 3.8 server. It's already doing S2S with another Zyxel box
- this time a ZyWall - at another site.

I have created the IPSec tunnel successfully, and the SA is up and
stable. Traffic goes from the remote network (192.168.254.0) to host
network fine (192.168.0.0) - using a sniffer I can see the traffic
arrive at the host network, and doing a PING from remote to host I can
see the ICMP echo try to go back to the remote. However, the reply
arrives at the 662HW and goes no further. In the Zyxel's logs I can see:

1 10/11/2004 12:36:44 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
2 10/11/2004 12:36:43 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
3 10/11/2004 12:36:43 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
4 10/11/2004 12:36:43 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
5 10/11/2004 12:36:42 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
6 10/11/2004 12:36:42 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
7 10/11/2004 12:36:42 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
8 10/11/2004 12:36:41 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
9 10/11/2004 12:36:41 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD
10 10/11/2004 12:36:41 Triangle route packet forwarded: ESP
217.xx.xx.162 80.yy.yy.225 ACCESS FORWARD

217.xx.xx.162 is the public IP of BorderManager
80.yy.yy.225 is the public IP of the 662HW.

It therefore looks as though the 662HW isn't dealing with the incoming
ESP traffic correctly. I've tried turning off the "triangle route
detection" on the Zyxel, but it didn't make any difference, it just
bounced off the Zyxel's firewall.

For info, from the System Status page:

- - -
System Name:
ZyNOS F/W Version: V3.40(QR.4) | 10/1/2004
DSL FW Version:TI AR7 03.00.09.00
Standard:ADSL_G.dmt

WAN Information

IP Address:80.yy.yy.225
IP Subnet Mask:255.255.255.255
Default Gateway:80.yy.yy.225
VPI/VCI:0/ 38

- - -


Can anyone please help?