Traffic routing for all 10.1.0.0/24 and 10.2.0.0/22 works fine.
However, I need to route subnet 10.3.0.0/24 from [Site 1] over the IPSec tunnel into the LAN side of [Site2] and setup a forward rule that will get the traffic to another router, say 10.2.0.11 - which will handle delivery to the 10.3.0.0/24 network.
I’ve tried doing this with a second policy in the IPsec configs at each end:
Like so:
But the traffic never hits the LAN side of the RB.
I’m sure I’m missing something, but can’t see what or how to resolve it.
[This would all be a LOT easier if RoS would give us an interface to deal with for IPSec traffic!]
Though not explicitly described, it was assumed no NAT is occurring.
Let me fill the example out, just to make it clear.
Site 1: 10.1.0.0/24
Site 2: 10.2.0.0/22
In this example: Host 10.1.0.15 is sending traffic to 10.3.0.20
So, to make it explicit:
Traffic from say, 10.1.0.15 to 10.3.0.20
That will come into the 10.2.0.0/22 network via the site-to-site IPSec VPN from the 10.2.0.0/24 network.
It will then get forwarded to 10.2.0.11 [a router] that knows how to get to the 10.3.0.0/2 network.
10.3.0.0/24 is NON local to either [site 1] or [site 2].
So, during this travel, the packet will have a [src addr: 10.1.0.15] and [dest addr: 10.3.0.20]
Replies will follow a reverse path. Assume the return packets will be simpy reversed:
[src addr: 10.3.0.20] and [dest addr: 10.1.0.15]
And the return traffic should get handed back to the RB [it's in the default route for the network] and it has a matching policy like so: