Hi

Office: SMB 1600 R81.10

Main DC: R81.10 JHF take 55

Both gateways have an empty group as the encryption domain as the VPN is route based.

Its correct that the office SMB doesn't encrypt as this traffic is not routed down the VPN.

You said in your original post that all traffic from the office site is routed over VPN to the DC site.
That would imply all traffic to the Internet would be routed to the DC site, including DNS lookups.

Because of the empty encryption domain, it seems reasonable for the DC gateway to assume everything that comes from the specific remote gateway SHOULD be encrypted.
Thus, the error message.

A simple network diagram might be helpful to understand where traffic is supposed to be going.

Hi, apologies.

I have attached a simple diagram.

Only traffic between office 192.168.3.0/24 and DC 10.1.1.0/24 is routed over the VTI.

Traffic from office 10.0.0.9 to Internet is dropped by DC 10.0.0.12. 

Hey @Mark_Edwards ,

I think maybe fw monitor capture would help us here, so we can see if traffic even takes the right path. So lets assume src is 1.1.1.1 and dst is 2.2.2.2 and dst port is 3389, as we dont care about src port, you could do something like below (-o to output to a file)

fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "srcip,srcport,dstip,dstport,protocol"

fw monitor -F "1.1.1.1,0,2.2.2.2,3389,0" -F "2.2.2.2,0,1.1.1.1,3389,0" -o /var/log/vpncapture.pcap

Once you dump the file in wireshark, you can filter for fw direction -> fw1.direction eq "i"

or whatever inspection point you want to see

Andy