Please Help : IPsec VPN Tunnel Established, but no Traffic

Archived from groups: comp.dcom.vpn (More info?)

My Local Network
DSL -> Linksys BEFSR41 - SBS 2003 External Nic - SBS 2003 Internal Nic
( does DHCP for LAN) - Win XP workstation
I use ISA as Firewall

Remote VPN Server
Netscreen x25

My XP workstation is using Netscreen Remote to connect to the Netscreen
X25 . It is IPSec based.

Here is the Log:
14:35:48.218 Interface added: 192.168.16.23/255.255.255.0 on LAN
"Intel(R) PRO/100 VE Network Connection".
14:41:31.718
14:41:32.859 RequestLocalAddress failure: C24BF02
14:41:32.859 My Connections\company - Initiating IKE Phase 1 (IP
ADDR=12.36.191.2)
14:41:32.875 My Connections\company - SENDING>>>> ISAKMP OAK AG (SA,
KE, NON, ID, VID, VID, VID, VID)
14:41:32.953 My Connections\company - Received message from wrong IP
Address = c0a81002
14:41:36.953 My Connections\company - RECEIVED<<< ISAKMP OAK AG (SA,
VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
14:41:36.968 My Connections\company - Peer is NAT-T capable
14:41:36.968 My Connections\company - NAT is detected for Client
14:41:36.984 My Connections\company - SENDING>>>> ISAKMP OAK AG *(HASH,
NAT-D, NAT-D, NOTIFY:STATUS_INITIAL_CONTACT)
14:41:36.984 My Connections\company - Established IKE SA
14:41:36.984 MY COOKIE b2 1d 72 d4 f5 f2 2d 7b
14:41:36.984 HIS COOKIE d4 15 80 df 2 3f 1a d1
14:41:37.000 My Connections\company - Initiating IKE Phase 2 with
Client IDs (message id: BA73E63A)
14:41:37.000 Initiator = IP ADDR=192.168.16.23, prot = 0 port = 0
14:41:37.000 Responder = IP SUBNET/MASK=10.10.1.0/255.255.255.0, prot
= 0 port = 0
14:41:37.000 My Connections\company - SENDING>>>> ISAKMP OAK QM *(HASH,
SA, NON, KE, ID, ID)
14:41:37.062 My Connections\company - RECEIVED<<< ISAKMP OAK QM *(HASH,
SA, NON, KE, ID, ID, NAT-OA, NOTIFY:STATUS_RESP_LIFETIME)
14:41:37.062 My Connections\company - SENDING>>>> ISAKMP OAK QM *(HASH)
14:41:37.078 My Connections\company - Loading IPSec SA (Message ID =
BA73E63A OUTBOUND SPI = D2961D8E INBOUND SPI = 7CA77B9B)
14:41:37.078
14:41:37.109 My Connections\company - RECEIVED<<< ISAKMP OAK INFO
*(HASH, DEL)

So, it looks like the tunnel is established. But I can not ping the
remote network clients or access the SQL server that I want to connect
to.

Looks like I am connected But NO traffic.
I looked in the Linksys router logs
It has outbound logs for UDP 500 and nothing else.
I have enabled IPsec Pass Through on the server.

Do anyone of you know if Netscreen is NAT-T ? Because I would think I
should see Traffic on UDP port 4500 ( encapsulating ESP IP 50 over UDP
ports)

I am stumped as to why there is no traffic. That is what the Admin on
the remote site, he sees the Tunnel established but no traffic.

1) Could it be that the Router is not really doing IPsec Pass Through?

2)Even if the router doesnt do IP pass Through, I would think if the
VPN router and VPN client both support NAT-T, that should be fine right
? Then I should see UDP traffic on port 4500?

I would appreciat it if someone would post any suggestions on how to
troubleshoot this. I could try to take the Linksys router out and
connect the External NIC of SBS to DSL Modem directly but its a pain to
change the settings back and forth, and I want to do it only if that
will solve the issue.

Thanks for your help
KOde