of PC1 that is connected to R1, R2 and I can ping to ip address to another, but different to that of PC2 associated with R2 and R1 can not ping to ip address to another

Regards.

alain.

I can ping from R1 to R2 but otherwise not

ok but you don't want to ping from LAN to LAN? and you left the configs you posted.

Regards.

Alain.

are the current running-config with the change wik I can ping from R1 to R2 and else, you want files of PC1 that is connected to R2 R1 copy that is connected to R2, that's my final working

Hi,

taken from your last configs:

R1
ip access-list extended NAT
permit ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7

R2:
ip access-list extended NAT
deny   ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
permit ip 20.20.20.0 0.0.0.7 any
permit ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7

Can you confirm you want to ping from a PC on 10 subnet to a PC on 20 subnet and inversely?

ok if so   on R1  change the permit to deny in NAT ACL and on R2 get rid of last line which has no use.

then try to ping from a PC in 10 subnet to a PC in 20 subnet and tell us if it works: ping ok and sh crypto ipsec sa shows packets decrypted and encrypted.

Regards.

Alain

These are the current running-config of R1 and R2

vpn not want to come, there is nothing to see in sh crypto isakmp not connect

Hi,

if you want your tunnel to come up when pinging from PC1 to PC2 then your crypto ACL referenced in crypto map must mention these subnets, which is not the case anymore as you put again the  WAN subnet of your VPN peers as you did before.

The statements in your NAT ACL are in wrong order

SO what you did:

R1
ip access-list extended NAT
permit ip 10.10.10.0 0.0.0.7 any
deny   ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7
!
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255

R2
ip access-list extended NAT
permit ip 20.20.20.0 0.0.0.7 any
deny   ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
!
access-list 100 permit ip 94.227.144.0 0.0.15.255 94.227.144.0 0.0.15.255

What you must do:

R1

ip access-list extended NAT
deny   ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7

permit ip 10.10.10.0 0.0.0.7 any
!
access-list 100 permit ip 10.10.10.0 0.0.0.7 20.20.20.0 0.0.0.7

R2
ip access-list extended NAT

deny   ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7
permit ip 20.20.20.0 0.0.0.7 any

!
access-list 100 permit ip 20.20.20.0 0.0.0.7 10.10.10.0 0.0.0.7

Regards.

Alain.

I made the adjustments but the vpn does not fire because the LED does not even have to show crypto isakmp sa look but there is nothing in

IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

look at ACL  100 on R1  the destination must be 20.20.20.0 0.0.0.7 and not 10.10.10.0 0.0.0.7

I've changed but vpn is not up

These are the current config of R1 and R2

ok, so now the ACLs are all ok  but I just noticed you've got no route statement in your configs?

you surely got one default from your ISP but you got none for traffic being tunneled so add ip route 20.20.20.0 255.255.255.248  94.227.156.186

and the same on R2 for 10 subnet: ip route 10.10.10.0 255.255.255.248  "R1 peer address".

Regards.

Alain.

aangeast that is okay, there's something to be changed, can not ping from R2 to a device that is connected to R1

ok so from PC1 subnet to PC2 subnet and inversely it is ok now?

but you can't ping from R2 to R1 subnet? if you don't specify source in your pings it will use the interface going to next-hop

so your WAN interface ip add as source but it will not use the tunnel as crypto ACL 100  denies it and no NAT will be involved

but the destination is a private address so not routeable over internet so the packet is dropped.

For this ping to be successful you must permit icmp  traffic  from public ip to the other LAN in the crypto ACL and mirror on other side

Is it clear enough?

Regards.

Alain.