VPN routing between CP to CP and CP to 3rd Part

chkrh · ‎2020-04-07

Hi all,

I've just managed to set up a site-to-site IPSec tunnel from a 3rd party DAIP GW to one of my centrally managed CP GW clusters. This is working great and traffic flows to and from just fine.

This CP GW cluster also participates in my global mesh community between all my other centrally managed CP GW clusters - this is all working perfectly.

My issue is, I cannot access this new site-to-site tunnel from a GW cluster outside of the one it's directly terminating on.

I'll try and outline below:

[SITE1] <centr. managed vpn - cp to cp> [SITE2] <manually configured vpn - cp to daip> [SITE3]

SITE1 to/from SITE2 = OK

SITE2 to/from SITE3 = OK

SITE 1 to/from SITE3 = FAIL

I've tried including the subnet of SITE3 in the encryption domain of SITE2, to ensure SITE1 knew how to get there as part of the global mesh community, but as this encryption domain is also used with SITE3, it causes the tunnel to drop.

Any idea on what I'm missing here? Any tips you could provide would be greatly appreciated!

Thanks!

PhoneBoy · ‎2020-04-07

The encryption domain equivalent defined on Site 3 for the other sites needs to include Site 1 or it won't work.
Or IP Pool NAT may need to be used.

chkrh · ‎2020-04-07

Thanks! The NAT between sites looks like it'll overcome the issue of overlapping encryption domains which I'm stuck on. I'll give it a try.

PhoneBoy · ‎2020-04-07

If you have overlapping encryption domains, you definitely need NAT, possibly on both ends, to make everything work.

Are you a member of CheckMates?

VPN routing between CP to CP and CP to 3rd Part