So, let me try to give some more details:
1. Firewall interface ip is 192.168.3.2/24 (ping enabled) and Router interface ip is 192.168.3.1/24, connected directly.
2. Behind the router there are subnets 10.20.30.0/24 to 10.20.39.0/24, there is a static route for each one on the firewall, one object for each, and one group which contains all the objects. That group is used in 2-3 firewall rules.
3. All subnets can ping the firewall interface ip (192.168.3.2), and also the router can ping it.
4. New remote location is 10.20.40.0/24, added static route, created object and added it to the group.
5. Result: Access from central lan to the new location is ok, both pings, rdp, all the rules seem to work. Access from remote location router or remote location pc is impossible. Remote pc pings router interface (192.168.3.1) but nothing further than that. Traceroutes show expected results, they end just before the firewall interface.
6. First test: Put a switch between firewall and router, connect a laptop, give it 192.168.3.5/24 ip and gateway the router. Pc from remote location can ping it, it can ping the remote pc. Laptop can also ping firewall ip and firewall can ping it.
7. Second test: Disconnect firewall, connect router directly to the laptop and give the laptop 192.168.3.2/24 ip and gateway the router. The laptop can ping the remote pc, the remote pc can ping the laptop, total connectivity.
8. During the tests, I have checked logs and run sniffer/debug commands, all show pings from other locations, pings from the new remote location show up nowhere. Also, I have backed up the configuration and checked the file to see if the exising subnets are mentioned anywhere else than static route, object and group. Nothing.
9. Partner that configures vpn to remote locations has checked vpn configuration, with no luck.
My conclusion from all the above is that the vpn configuration is correct. Am I right or am I missing something? If that is true, what can I check on the firewall?
Two things that might or might not be important. First, the firewall was administered up to last year by somebody that is no longer accesible. This is the first new location that we had to add. And second, when I say router, it is not really a router, but an OpenVPN server/aggregator.
I hope I have made everything clear, if not please feel free to ask. I really appreciate your help.
post edited by serakar999 - 2017/04/20 14:35:39