I have an IPSEC VPN between two ER-Pro's that seem erratic at best and completely broken as a realist.
There are no users there currently, but we have some SIP phones and other devices I am trying to manage. On my Asterisk server I see the registration messages come in and get responded to from the remote phones, doing a tcpdump on my WAN interface, I see some of the same messages, "show vpn ipsec sa" shows occassional traffic (and regular periods of no tunnel up). All the traffic does not seem to be accounted for in the firewall logs though; I am a little lost there.
When I first brought the tunnel up, it was reliable for about a half-hour, then disconnected only to re-connect with some reliability every 6-8 hours. When it reconnected I was occassionally able to ssh into the router (if it lasted long enough), but the situation did not improve. Yesterday I added in NAT-Exclude directives for site-to-site LAN traffic to see if that would help things, but no real change.
The two sites each have 100Mb fiber service, and the provider gateway devices have all firewalling turned off.
The two config files are attached; the NYC site does not reflect the (matching) changes to NAT rules as my "remote hands" were unable to download the config (and it didn't improve anything, so not worth fighting through for another hour).
Any help is really appreciated. We are trying to take the site live next week, and it looks like that might not happen at my current pace.