Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

VPN routing between CP to CP and CP to 3rd Part

Hi all,

I've just managed to set up a site-to-site IPSec tunnel from a 3rd party DAIP GW to one of my centrally managed CP GW clusters. This is working great and traffic flows to and from just fine.

This CP GW cluster also participates in my global mesh community between all my other centrally managed CP GW clusters - this is all working perfectly.

My issue is, I cannot access this new site-to-site tunnel from a GW cluster outside of the one it's directly terminating on.

I'll try and outline below:

[SITE1] <centr. managed vpn - cp to cp> [SITE2] <manually configured vpn - cp to daip> [SITE3]

SITE1 to/from SITE2 = OK

SITE2 to/from SITE3 = OK

SITE 1 to/from SITE3 = FAIL

I've tried including the subnet of SITE3 in the encryption domain of SITE2, to ensure SITE1 knew how to get there as part of the global mesh community, but as this encryption domain is also used with SITE3, it causes the tunnel to drop.

Any idea on what I'm missing here? Any tips you could provide would be greatly appreciated!

Thanks!

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

The encryption domain equivalent defined on Site 3 for the other sites needs to include Site 1 or it won't work.
Or IP Pool NAT may need to be used.
0 Kudos
Highlighted
Ivory

Thanks! The NAT between sites looks like it'll overcome the issue of overlapping encryption domains which I'm stuck on. I'll give it a try.

0 Kudos
Highlighted
Admin
Admin

If you have overlapping encryption domains, you definitely need NAT, possibly on both ends, to make everything work.