That is odd, but I'll bet you find that this behavior is the same without ISA. RRAS and the TCP/IP stack, not ISA, handle the actual packet routing. -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Tuesday, December 27, 2005 4:58 AM To: [ISAserver.org Discussion List] Subject: [isalist] S2S VPN: why are static routes sometimes needed? http://www.ISAserver.org Hi, it seems that if a S2S VPN connection of type IPSec Tunnel is used and if the remote tunnel endpoint can't be reached through the default gateway, then you need to create extra static routes for the remote network ID's reachable through that remote tunnel endpoint. I don't understand why this is needed? Take note that there were no problems in setting up the IPSec MM and QM SA's! To explain it better, here is a little diagram of the lab setup: 192.168.1.0/24 vvv LAN-A -------- [ISA-A] ---+ 192.168.22.0/24 .10 ! +--- [RTR] --- Internet ! .1 .30 ! [RTR-B] ! .1 .10 ! LAN-B -------- [ISA-B] ---+ 192.168.44.0/24 ^^^ 192.168.11.0/24 On ISA-A: --------- Remote Site Network contains: - 192.168.11.10/32 - 192.168.44.0/24 Default gateway: 192.168.1.1 Static routes configured: - 192.168.11.0/24 Gateway 192.168.1.30 - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ??? On ISA-B: --------- Remote Site Network contains: - 192.168.1.10/32 - 192.168.22.0/24 Default Gateway: 192.168.11.1 No static routes configured. Test: ----- From a host on LAN-B ping a host on LAN-A. Without the static route '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping request and reply on LAN-A but the reply never makes it back to LAN-B. The ping reply just disappeared into thin air! Creating the static route and bingo, it works. What's the logic behind this behavior? Thanks, Stefaan ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.