Route Access failing beyond IPSec

Hello all,

I am running into an issue with route access beyond an IPSec tunnel that I am hoping you can point in the right direction for. The tunnel is established and working between my office Palo Alto firewall and terminates on a CCR1009 that is located inside a datacenter. I can access the Mgmt. Lan that connects to the CCR1109 from the office, but I cannot access other subnets beyond the CCR1009. Those subnets can be reached from the CCR1009.

–Config Layout–

Office Palo Alto firewall - Datacenter CCR1009
CCR1009 connects to a CCR1072 (DC Edge) via a public /29
CCR1072 connects to a JuniperQFX5100 (Core)
QFX5100 connects to remote CCR1036 via P2P fiber

• PA LAN 192.168.99.0/24 can access the CCR1009 LAN 10.10.100.0/24
• CCR1009 can access the remote CCR1036 172.20.103.0/30
• PA cannot access the 172.20.103.0/30

I have updated the filter rules and src-nat with the 172.20.103.0/24 subnet with no luck.

I attached a quick diagram that illustrates the design a little better.

Thanks in advance,
-AT
IPSec Access.pdf (78.6 KB)

Hi all,

It looks like I found the fix and everything is working as expected. I changed policies’ level to “unique” from “required”.

[ xyz ] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 A src-address=10.10.100.0/24 src-port=any dst-address=192.168.99.0/24 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=64.85.172.26 sa-dst-address=69.54.X.Y proposal=th-pa220-proposal
ph2-count=1

1 A src-address=172.20.0.0/16 src-port=any dst-address=192.168.99.0/24 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=64.85.172.26 sa-dst-address=69.54.X.Y proposal=th-pa220-proposal
ph2-count=1