We have a network (let's call it 10.10.0.0/16) with various subnets at different sites. The sites connect via IPSec VPN to a central location, and all sites should be able to communicate with all other sites. As a result of this layout, the tunnel configuration has the local prefix as a subnet of the remote prefix. This does not work; devices in the local network are able to obtain IP addresses, but cannot pass traffic, and ARP fails on the router for all other devices in that subnet as long as the tunnel is enabled. If I remove the tunnel or configure it to use a non-overlapping remote prefix, traffic flows normally, both locally and via the VPN.
Since spoke-to-spoke traffic (via the hub) is required here, I'm not sure how I could feasibly configure this without the overlap and still have sites talk to each other. There are simply too many of them to manually configure SAs for each site prefix. Our current network is based on DMVPN, but EdgeOS doesn't support that, nor does it support GRE or VTI with a dynamic IP, so the proxy-based setup is our only solution.
Sanitized config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
destination {
address 10.10.62.0/24
}
ipsec {
match-ipsec
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description IKE/L2TP
destination {
port 500,4500,1701
}
protocol udp
}
rule 40 {
action accept
description ESP
protocol esp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 10.10.62.254/24
description Voice
duplex auto
mtu 1500
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
global-parameters "option option-150 code 150 = ip-address;"
hostfile-update enable
shared-network-name VOICE {
authoritative enable
subnet 10.10.62.0/24 {
default-router 10.10.62.254
dns-server 10.10.10.53
domain-name voice.example.com
lease 86400
start 10.10.62.100 {
stop 10.10.62.199
}
subnet-parameters "option option-150 10.10.10.10;"
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
dhcp eth0
listen-on eth1
options expand-hosts
options listen-address=192.168.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
exclude
outbound-interface eth0
source {
address 10.10.62.0/24
}
type source
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name example.com
host-name spoke
ip {
override-hostname-ip 192.168.1.1
}
}
name-server 8.8.8.8
name-server 8.8.4.4
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
signature-update {
update-hour 04
}
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group vpn {
compression disable
lifetime 3600
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group vpn {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
mode main
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
logging {
log-level 2
log-modes ike
log-modes mgr
log-modes net
log-modes cfg
log-modes chd
log-modes dmn
log-modes job
}
site-to-site {
peer 1.2.3.4 {
authentication {
id CN=spoke.example.com
mode x509
remote-id CN=hub.example.com
x509 {
ca-cert-file /config/auth/ipsec/test/ca.cer
cert-file /config/auth/ipsec/test/spoke.cer
key {
file /config/auth/ipsec/teste/spoke.key
}
}
}
connection-type initiate
description VOIP
ike-group vpn
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group palo
local {
prefix 10.10.62.0/24
}
remote {
prefix 10.10.0.0/16
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group palo
local {
prefix 10.10.62.0/24
}
remote {
prefix 172.16.0.0/22
}
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
}
mode local
}
client-ip-pool {
start 192.168.1.11
stop 192.168.1.19
}
dhcp-interface eth0
dns-servers {
server-1 192.168.1.1
}
ipsec-settings {
authentication {
mode pre-shared-secret
}
ike-lifetime 3600
}
mtu 1400
}
}
}
Any thoughts?