Connecting to BGP network through IPsec tunnel

Gombodorj2323 · ‎2023-04-24

Hello, I have one group with two 6700 gateways and learned 172.18.1.0/24 network through BGP and has full access to this network.

I have few CP 1530 gateways on remote places and all of them are connected to the Maestro GW through IPsec tunnels in same star community. I want them to be able to reach 172.18.1.0/24 network, so I have defined this network in the VPN encryption domain and created "accept" policy rule. When I try to connect to the network not even log shows up and fails.

In theory, this should be really simple. What could be the issue?

PhoneBoy · ‎2023-04-24

Are all these 1530s managed with the same management?
Have you pushed policy to all relevant gateways?
What version/JHF is Maestro running and what firmware version/build # is used on the SMB appliances?

Gombodorj2323 · ‎2023-04-24

1. It is in different management

2. Yes I'm testing on exactly 2 gateways.

3. Maestro is R81.10/Take79 and SMB is running R80.30. I haven't checked the specific firmware version I will when I can.

Chris_Atkinson · ‎2023-04-24

What does the routing at the branches look like, are these gateways also performing NAT?

CCSM R77/R80/ELITE

Gombodorj2323 · ‎2023-04-24

Branch gateways have just a simple default rule to the ISP IP address that it is connecting to. Also branches have 172.10.X.X/25 local network on the internal interface and thats where I want to connect to 172.18.1.0/24 from.

I tried changing the VPN routing option in the community to all 3 of the option.

VPN domain looks like this:

VPN domain of a branch GW = branch-local domain (172.10.X.X/25)

VPN domain of the Maestro = Maestro-local domain (172.18.1.0/24)

172.10.X.X/25 -> tunnel -> Maestro -> 172.18.1.0/24