I know I’m getting closer to overall understanding - but I’m stuck on this part.
Remote location:
bLookback bridge, no ports, static address 10.255.255.2
bInternet bridge, all physical ports, LAN 192.168.1.12/24
dynamically receives 10.21.3.3 to bInternet bridge via IPSEC
known routes:
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reach
able via bInternet distance=1 scope=30 target-scope=10 vrf-interface=bInternet
1 ADC dst-address=10.21.3.0/24 pref-src=10.21.3.3 gateway=bInternet gateway-stat
us=bInternet reachable distance=0 scope=10
2 ADC dst-address=10.255.255.2/32 pref-src=10.255.255.2 gateway=bLoopback gatewa
y-status=bLoopback reachable distance=0 scope=10
3 ADC dst-address=169.254.1.0/24 pref-src=169.254.1.3 gateway=bInternet gateway-
status=bInternet reachable distance=0 scope=10
4 A S dst-address=192.168.0.0/24 gateway=10.21.3.1 gateway-status=10.21.3.1 reac
hable via bInternet distance=1 scope=30 target-scope=10
5 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.30 gateway=bInternet gateway
-status=bInternet reachable distance=0 scope=10
route to HQ 192.168.0.0/24 statically configured. For now.
HQ has
bLookback bridge, no ports, static address 10.255.255.1
bLAN bridge, all physical ports 2-5, LAN 192.168.0.1/24
10.21.3.1/24 assigned to ether1 as IPSEC server
In the mode config for the remote site I have included the LAN 192.168.0.0/24, the IPSEC network 10.21.3.0/24, and the “loopback network” 10.255.255.0/24 in Split Include.
IPSEC connects and server & remote can communicate. From the remote, which is loopback address 10.255.255.2, I can ping both 10.255.255.1 (the HQ router) and 10.255.255.3 (a server inside the HQ LAN). However, I cannot reach 10.255.255.2 (the remote loopback IP) from either of the HQ locations. I can reach the remote IPSEC address of 10.21.3.3 as well as remote LAN hosts via NAT.
So my questions:
-
Where does the remote have a route defined to able to reach 10.255.255.1 & 10.255.255.3? I don’t see it in the routing table shown above yet it works. I’m guessing it has something to do with my including it in the “Split Include” - as I do see a dynamic src-nat rule created that maps 10.255.255.0/24 to 10.21.3.3. Having just typed that I guess I already answered myself for this one…
-
More importantly - if it works in that direction why doesn’t the reverse work? I’ve tried various src-nat rules on the HQ router with no effect.