The goal is to have a hub and spoke deployment where all traffic from the ERL goes through a hub site.
I've configured a site-to-site IPSEC based VPN. From my ERL I can ping to the remote site. The LAN behind the ERL doesn't seem to have any connectivity. I can't ping the default gateway of the ERL or get out to the Internet while the VPN is up.
It seem like NAT is getting in the way when the VPN is enabled. On the ERL when I try to ping something on the local LAN while the VPN is up I get unreachable responses from the ERL's default gateway.
Here is what I think is the relevant configuration. Let me know if you need more.
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 source address 172.16.1.0/24
set service nat rule 5000 type masquerade
set service nat rule 5001 description 'MASQ corporate_network to WAN'
set service nat rule 5001 destination address 0.0.0.0/0
set service nat rule 5001 exclude
set service nat rule 5001 log enable
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 protocol all
set service nat rule 5001 source address 172.16.1.0/24
set service nat rule 5001 type masquerade
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer 1.1.1.1 authentication id CN=my.domain.org
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode x509
set vpn ipsec site-to-site peer 1.1.1.1 authentication remote-id CN=route0.hopto.org
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 ca-cert-file /config/auth/cakey.pem
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 cert-file /config/auth/VPN/cert.pem
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 key file /config/auth/VPN/privatekey.pem
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 key password ***
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group ubnt-pa-esp
set vpn ipsec site-to-site peer 1.1.1.1 ike-group Amazon1
set vpn ipsec site-to-site peer 1.1.1.1 ikev2-reauth inherit
set vpn ipsec site-to-site peer 1.1.1.1 local-address 192.168.1.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks enable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix 172.16.1.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 protocol all
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix 0.0.0.0/0