Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Philip_W
Contributor

IPSEC encryption domains via Hub

Hi Checkmates,

Our customer has several meshed VPN Communities, connecting his HQ with remote sites as well as with suppliers. Situation is as follows for 3 sites:

A (Supplier - Juniper)             B (HQ CP5000)            C (RemoteSite CP14x0)
10.10.0.0/24                            10.200.10.0/24            10.200.201.0/24
10.20.0.0/16                             10.200.11.0/24            10.200.202.0/24
10.40.0.0/16                              10.200.12.0/24

10.0.0.0/8

Policy-based s2s between A and B.

Route-based s2s between B and C.

Users in Site C 10.200.201.0/24 (customer remote site) need to connect to a supplier's server in 10.40.0.0/16. This traffic is allowed and working - my predecessor configured user.def.FW1 for the tunnel between A and B.

Now, due to changes and the supplier being reluctant to configure lots of encryption domains , we were looking into changing themfor the tunnel between A and B. Plan was to set it as follows for our side:

B

10.200.0.0/16

But then traffic between C and A stopped working.

Finally my question:

How can we change B's encryption domain to include C's subnets? Note that also customer does not allow hide NAT because he fears this might interfere with H323 video traffic.

Kind Regards

P

0 Kudos
3 Replies
Jerry
Mentor
Mentor

simply add 10.200.0.0/16 into the HUB EncDom Smiley Happy 

Jerry
0 Kudos
Philip_W
Contributor

Indeed, we did. But then traffic between C and A didn't pass anymore ("packet shouldn't have been decrypted").

Going to have to dig into the user.def.FW1 file I think.

0 Kudos
Jerry
Mentor
Mentor

what about appropiate (respective) routing is in place Philip ?

Jerry

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events