@BT2025 

Hi,

1. Do you have Public IP address on 3rd site?

2. Do you have double NAT on 3rd site? If yes, have you took care of port forwarding?

3. Does VPN between 1 and 3 work if you terminate VPN between 1 and 2?

4. What are logs for VPN 1 and 3 connection attempts?

Cheers

  @RaRu 

Thanks for your help.

1. Yes, as fair as I can see with online tools

2. I don't know. How can I check this please?

3. No, even if I shut down or even if I delete VPN between site 1 & 2, VPN between site 1 & 3 still don't work.

4. I don't see much things in logs except ''VPN created succesfully'' and ''VPN deleted succesfully''... But in ''Audit Log'' I see one event : ''Certificate of Test failed to export'' Could this be a thing?

Other/new elements :
 

I suspected my modem witch is in bridge mode to have some sort of Firewall causing issues, so I tested Client-to-site VPN with OpenVPN and it works Flawless both ways, so I think the modem isn't an issue...

I saw something strange this morning : when I create the VPN in ER605 of Site 1, I don't see site 3 int he ''Remote Site'' choices, so I can't set up the VPN in ER605 of site 1... But if I go in ER605 of site 3, I see site 1 in ''Remote Site'' and can create the VPN... I find this weird...

And lastly, I don't know if I already wrote this, but in site 3, WAN works through PPPoE, which is something I never worked with... Could this causes issue? Is there something different I need to do regarding VPN in PPPoE WAN environnement?

Thanks for your help!

  @BT2025 

Hi,

1. So when you go to yougetsignal [dot] com => What Is My IP Address you can see the same IP address there, as you have assigned to your router on WAN?

2. Double NAT when you have for example Router from your ISP (which behaves as router) and your own router (TP-Link). You said that your ISP's device (on site 3) is set up in Bridge Mode... If there is some Firewall on that device, try to disable it for few minutes to check if that will allow for VPN to establish. Also, check on yougetsignal [dot] com => Port Forwarding Tester if port you use for VPN connection is open on site 3. Put there your Public IP and port (from site 3). The result should show OPEN to work properly:

Client to Site is a little bit different way of connection. Many times C2S works when S2S doesn't.

  @RaRu Thank you so mich for your Help.

1. the IP obtained with the tool is the same as the ip Address of my WAN.

2. Assuming Auto IPSec is using the same ports as Manuel IPSec, I tested ports 500 and port 4500, wich are both closed... On the other hand, I tested with IP of Site 1, which has a working Auto IPSec VPN with Site 2, and ports 500 and 4500 are also closed, So I assume I don't check the good ports... Do you know which ports are used with Auto IP Sec?

I'm more and more thinking my ISP's Hub which is bridged as some firewall features activated, as S2S VPN is not working either with Site 2... I'll try to call them, but don't have great hopes as Tech support is often very basic with them...

Or do you thing I should open ports directly on my ER605 in site 3? If so, do you know which port to open?

Thank you!

  @BT2025 

Hi,

Opening ports on ER605 won't change anything. 

First thing I would test is to upgrade your ER605. In your 1st post there's an info that you are using 2.1.6 fw. I thing, the last available fw now is 2.2.6.

Reaching out to your ISP is also good idea, to ask them if they have some firewall set up on their device or something.

Regarding the ports, I would also go with 500 and 4500

You could always try to set manual the IPsec... To check if it will start to work then. Try different config.