Remote access clients can connect to different VPN gateways (FW-Cluster 1, FW-Cluster 2, FW-Cluster 3).Īll VPN gateways are connected to the same Remote Access community. Remote access clients -> FW-Cluster 2 - Same remote access community |-> one tunnel to cloud proxy provider (different VPN community "Cloud1") It feels like FW cluster publishes encryption topology from the "VPN_cloud" to the client rather than the "Remote Access" VPN community. Should I now exclude something from "Enc-Dom-Mobile" ? The actual static route tells the FW cluster to route the cloud vip through one of the VTIs (so two routes with different metrics exist). The GAiA VTI configuration includes each of these satellites as peers. This "VPN_cloud" has the FW cluster as Center Gateway and two satellite gateways which are actually two cloud datacenters. The peers I used for routing through the VTIs are already part of another encryption domain "VPN_cloud". Regarding the steps to solve the problem I am not sure if I fully understood your inputs.ġ) currently I have set a domain for Remote Access Community in SDB like "Remote Access" -> "Enc-Dom-Mobile" for the FW cluster objectĢ) "Enc-Dom-Mobile" contains all relevant networks where encryption should happen (I assume the GW builds the routing topology from this information)ģ) "Route all traffic through tunnel" is enabledĤ) there are already some exclusions configured for "Enc-Dom-Mobile" My VTI routing is based on static routes added to both cluster members via GAiA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |