I have a client who has 2 vpns between 3rd parties like so :
1) VTI route based VPN between 3rd party (SiteA) and (HUB CP Gateway) (own star vpn community)
(SiteA- 10.0.0.0/13) ----routed VTI-------- (HubCPgateway - 172.16.9.0/24)
2) Domain based VPN between 3rd party (SiteC)and (HUB CP Gateway) (own star vpn community) (using one tunnel per Gateway setting)
(HubCPgateway - 172.16.9.0/24) ----Domain Based VPN---(SiteC- 10.200.0.0/19)
Now for whatever reason the client wants to route traffic between the two third party sides (they own the equipment at the 3rd party sites and need to replicate).
So wants Site A and SiteC to talk via HubCPGateway like so :
(SiteA- 10.0.0.0/13)-------routed--VTI------(HubCPgateway- 172.16.9.0/24)-------Domain Based VPN------(SiteC- 10.200.0.0/19)
I tried to ADD the networks in SiteC into HUB CPGateways encryption domain and just route the traffic from SITEA via the routed VTI . The traffic does come down the vpn but then gives the traffic gives the error "according to policy packet should not have been decrypted " .
I also tried to ADD networks in SiteC and SiteA into HUB CPGateways encryption domain this made no difference. I was thinking that R80.40 which allows for different encryption domains per vpn community may assist me with this.
(or do I need to change a user.def file ? )
I did see a whole section in the manual where they use the vpn_route.conf file to route traffic between vpns but in that scenario all the gateways were CP gateways and managed by the same Management station.
Is it possible to do it with R80.30 ? If yes how ?
If not do you think it will be possible with R80.40 ?
Thanks in advance.