Our customer has several meshed VPN Communities, connecting his HQ with remote sites as well as with suppliers. Situation is as follows for 3 sites:
A (Supplier - Juniper) B (HQ CP5000) C (RemoteSite CP14x0)
10.10.0.0/24 10.200.10.0/24 10.200.201.0/24
10.20.0.0/16 10.200.11.0/24 10.200.202.0/24
Policy-based s2s between A and B.
Route-based s2s between B and C.
Users in Site C 10.200.201.0/24 (customer remote site) need to connect to a supplier's server in 10.40.0.0/16. This traffic is allowed and working - my predecessor configured user.def.FW1 for the tunnel between A and B.
Now, due to changes and the supplier being reluctant to configure lots of encryption domains , we were looking into changing themfor the tunnel between A and B. Plan was to set it as follows for our side:
But then traffic between C and A stopped working.
Finally my question:
How can we change B's encryption domain to include C's subnets? Note that also customer does not allow hide NAT because he fears this might interfere with H323 video traffic.