AnsweredAssumed Answered

IPSEC encryption domains via Hub

Question asked by Philip W on Nov 21, 2018
Latest reply on Nov 22, 2018 by 89f54c70-508c-400f-9477-dd8648799b1e

Hi Checkmates,

 

Our customer has several meshed VPN Communities, connecting his HQ with remote sites as well as with suppliers. Situation is as follows for 3 sites:

A (Supplier - Juniper)             B (HQ CP5000)            C (RemoteSite CP14x0)
10.10.0.0/24                            10.200.10.0/24            10.200.201.0/24
10.20.0.0/16                             10.200.11.0/24            10.200.202.0/24
10.40.0.0/16                              10.200.12.0/24

10.0.0.0/8

Policy-based s2s between A and B.

Route-based s2s between B and C.

 

Users in Site C 10.200.201.0/24 (customer remote site) need to connect to a supplier's server in 10.40.0.0/16. This traffic is allowed and working - my predecessor configured user.def.FW1 for the tunnel between A and B.

 

Now, due to changes and the supplier being reluctant to configure lots of encryption domains , we were looking into changing themfor the tunnel between A and B. Plan was to set it as follows for our side:

B

10.200.0.0/16

But then traffic between C and A stopped working.

 

Finally my question:

How can we change B's encryption domain to include C's subnets? Note that also customer does not allow hide NAT because he fears this might interfere with H323 video traffic.

 

Kind Regards

P

Outcomes