I got a topic I can’t solve. I got several Site-2-Site VPNs running onto one MT. This MT should work as a central switching point between all the different Subnets. My problem now is, that I can’t reach other subnets from a subnet. but I can reach all subnets from the central mt. I’m not totally into it, do I need to nat or do I need routes?
Just in case, the VPN’s are 6 x L2TP/IPSec and 3 x IKEv2 :
quick sketch with symbolic 4 vpn site-2-site subnets:
For bare IKEv2, you need to add corresponding policies rather than routes (with the LAN subnets of the other VPN sites as src-address at the central router and as dst-address at the spokes). Or use IKEv2 only to encrypt GRE or IPIP tunnels and use normal routing via these tunnels.
Sadly i have to deal with those mixed vpns (unifi and mt). afaik unifi can do site-2-site with ikev2 only.
BGP looks like a bit overkill to me for this kind of setup but i will look into it. static routes sounds realiable at first. i guess i have to deal with serveal vpn’s to log in.
I don’t know whether the responses were clean enough… it is enough if all the “peripheral” devices send traffic for the subnets on all the other peripheral devices to the central device, the only point is that where bare IPsec (IKEv2) is used, IPsec policies must be used rather than traditional routes between that peripheral device and the central one. So let’s assume we have peripheral devices A and B with subnets 192.168.A.0/24 and 192.168.B.0/24, and the central device with 192.168.C.0/24. A uses LT2P/IPsec VPN, B uses IKEv2.
So on A, you need a route dst-address=192.168.B.0/24 gateway=l2tp-out1 to reach B via C; on C, you need to associate an IPsec policy src-address=192.168.A.0/24 dst-address=192.168.B.0/24 to the peer representing device B. In the reverse direction, you need to associate an IPsec policy src-address=192.168.B.0/24 dst-address=192.168.A.0/24 with the peer representing device C, and on C, you need a route dst-address=192.168.A.0/24 gateway= which may be added dynamically if you configure the /ppp profile for user A accordingly. Or you may create a static interface association for user A and create a static route to 192.168.A.0/24.
However, some traditional route must exist at C for packets towards 192.168.B.0/24 (a default one is sufficient) so that the IPsec policy could match them.
With this setup, you’ll have a routed path from A’s LAN subnet to B’s LAN subnet and vice versa; if you cannot get through, firewall rules and NAT rules need inspection as they may interfere.