Hi,
We have several departments and connect them via IPsec “Tunnel Interfaces”. For each interface we set up a Gateway and configured a SD-WAN policy.
This works for the most Services, but not for VoIP and Radius. The traffic is logged as allowed in the src, but never appears in the dst. We created a static route for the VoIP-Network to get it working. But this static route cannot be the solution, as it negates the sense of SD-WAN routing.
Our configuration:
Department 1
|
Network |
172.16.0.0/16 |
|
VoIP-Subnet |
172.16.7.0/24 |
|
xfrm1 |
172.16.254.1/30 |
|
xfrm1-GW |
172.16.254.2/30 |
|
xfrm2 |
172.16.254.5/30 |
|
xfrm2-GW |
172.16.254.6/30 |
Department 2
|
Network |
172.17.0.0/16 |
|
VoIP-Subnet |
172.17.7.0/24 |
|
xfrm1 |
172.16.254.2/30 |
|
xfrm1-GW |
172.16.254.1/30 |
|
xfrm2 |
172.16.254.6/30 |
|
xfrm2-GW |
172.16.254.5/30 |
SD-WAN routing
(All XGs) Current precedence for routing: Static route, VPN route, SD-WAN policy route.
(All XGs) Policy route also applies to system-generated and reply traffic.
|
|
Department 1 |
Department 2 |
|
Incoming Interface |
Any |
Any |
|
Src Network |
Any |
Any |
|
Dst Network |
172.17.0.0/16 |
172.16.0.0/16 |
|
Services |
Any |
Any |
|
Primary GW |
xfrm1-GW |
xfrm1-GW |
|
Backup GW |
xfrm2-GW |
xfrm2-GW |
Static route
|
|
Department 1 |
Department 2 |
|
Destination IP/Mask |
172.17.7.0/24 |
172.16.7.0/24 |
|
GW |
172.16.254.2 |
172.16.254.1 |
|
Interface |
xfrm1 |
xfrm1 |
This thread was automatically locked due to age.
