topic Re: VPN routing between CP to CP and CP to 3rd Part in General Topics

VPN routing between CP to CP and CP to 3rd Part

chkrh — Tue, 07 Apr 2020 09:14:05 GMT

Hi all,

I've just managed to set up a site-to-site IPSec tunnel from a 3rd party DAIP GW to one of my centrally managed CP GW clusters. This is working great and traffic flows to and from just fine.

This CP GW cluster also participates in my global mesh community between all my other centrally managed CP GW clusters - this is all working perfectly.

My issue is, I cannot access this new site-to-site tunnel from a GW cluster outside of the one it's directly terminating on.

I'll try and outline below:

[SITE1] <centr. managed vpn - cp to cp> [SITE2] <manually configured vpn - cp to daip> [SITE3]

SITE1 to/from SITE2 = OK

SITE2 to/from SITE3 = OK

SITE 1 to/from SITE3 = FAIL

I've tried including the subnet of SITE3 in the encryption domain of SITE2, to ensure SITE1 knew how to get there as part of the global mesh community, but as this encryption domain is also used with SITE3, it causes the tunnel to drop.

Any idea on what I'm missing here? Any tips you could provide would be greatly appreciated!

Thanks!

Re: VPN routing between CP to CP and CP to 3rd Part

PhoneBoy — Wed, 08 Apr 2020 00:46:23 GMT

The encryption domain equivalent defined on Site 3 for the other sites needs to include Site 1 or it won't work.
Or IP Pool NAT may need to be used.

Re: VPN routing between CP to CP and CP to 3rd Part

chkrh — Wed, 08 Apr 2020 03:34:11 GMT

Thanks! The NAT between sites looks like it'll overcome the issue of overlapping encryption domains which I'm stuck on. I'll give it a try.

Re: VPN routing between CP to CP and CP to 3rd Part

PhoneBoy — Wed, 08 Apr 2020 03:38:42 GMT

If you have overlapping encryption domains, you definitely need NAT, possibly on both ends, to make everything work.