L2TP tunnel is established, the address has been obtained successfully, and the gateway can also be pinged, but the terminal can not access the intranet resources of the opposite end. Checking the routing table on the router, it is found that the routes of two terminal have been added.
192.168.1.100/32 Direct 0 0 192.168.1.100 VA0
192.168.1.101/32 Direct 0 0 192.168.1.101 VA1
There is no problem with the routing table, so check the configuration
description con to user
ip address 192.168.1.1 255.255.255.0
port link-mode route
description con to CN2
ip address 10.230.x.242 255.255.255.252
nat outbound 3000
ppp authentication-mode pap chap domain xxx.js
remote address pool 1
ip address unnumbered interface Vlan-interface1
At first glance, there is nothing wrong with the configuration, but after careful inspection, it is found that the address of the VT template inherits vlan-int 1, that is, the address of the VT and the intranet are in the same subnet. In this case, in order to respond to ARP packet correctly, you need to open the ARP proxy： proxy-arp enable in the intranet port. After modifying the configuration，problem solved.