IPSEC encryption domains via Hub

Philip_W — Thu, 22 Nov 2018 07:59:11 GMT

Hi Checkmates,

Our customer has several meshed VPN Communities, connecting his HQ with remote sites as well as with suppliers. Situation is as follows for 3 sites:

A (Supplier - Juniper)             B (HQ CP5000)            C (RemoteSite CP14x0)
10.10.0.0/24                            10.200.10.0/24 10.200.201.0/24
10.20.0.0/16                             10.200.11.0/24 10.200.202.0/24
10.40.0.0/16                              10.200.12.0/24

10.0.0.0/8

Policy-based s2s between A and B.

Route-based s2s between B and C.

Users in Site C 10.200.201.0/24 (customer remote site) need to connect to a supplier's server in 10.40.0.0/16. This traffic is allowed and working - my predecessor configured user.def.FW1 for the tunnel between A and B.

Now, due to changes and the supplier being reluctant to configure lots of encryption domains , we were looking into changing themfor the tunnel between A and B. Plan was to set it as follows for our side:

10.200.0.0/16

But then traffic between C and A stopped working.

Finally my question:

How can we change B's encryption domain to include C's subnets? Note that also customer does not allow hide NAT because he fears this might interfere with H323 video traffic.

Kind Regards

Re: IPSEC encryption domains via Hub

Jerry — Thu, 22 Nov 2018 09:18:47 GMT

simply add 10.200.0.0/16 into the HUB EncDom

Re: IPSEC encryption domains via Hub

Philip_W — Thu, 22 Nov 2018 12:24:35 GMT

Indeed, we did. But then traffic between C and A didn't pass anymore ("packet shouldn't have been decrypted").

Going to have to dig into the user.def.FW1 file I think.

Re: IPSEC encryption domains via Hub

Jerry — Thu, 22 Nov 2018 12:59:48 GMT

what about appropiate (respective) routing is in place Philip ?

topic Re: IPSEC encryption domains via Hub in General Topics

IPSEC encryption domains via Hub

Re: IPSEC encryption domains via Hub

Re: IPSEC encryption domains via Hub

Re: IPSEC encryption domains via Hub