I've just managed to set up a site-to-site IPSec tunnel from a 3rd party DAIP GW to one of my centrally managed CP GW clusters. This is working great and traffic flows to and from just fine.
This CP GW cluster also participates in my global mesh community between all my other centrally managed CP GW clusters - this is all working perfectly.
My issue is, I cannot access this new site-to-site tunnel from a GW cluster outside of the one it's directly terminating on.
I'll try and outline below:
[SITE1] <centr. managed vpn - cp to cp> [SITE2] <manually configured vpn - cp to daip> [SITE3]
SITE1 to/from SITE2 = OK
SITE2 to/from SITE3 = OK
SITE 1 to/from SITE3 = FAIL
I've tried including the subnet of SITE3 in the encryption domain of SITE2, to ensure SITE1 knew how to get there as part of the global mesh community, but as this encryption domain is also used with SITE3, it causes the tunnel to drop.
Any idea on what I'm missing here? Any tips you could provide would be greatly appreciated!