Routing to remote subnet via IPSEC that is peered to PFS by routing protocol



  • Ok, I have a site to site vpn setup. I can successfully reach from 10 to 192 and from 192 to 10. I cant however reach to 172. 172 is a network on a separate router, connected via OSPF. the subnet of the 172 is in the lower PFS routing table.... however none of the Phase2 networks are in the routing table. So the 10 network is not being advertised to 172 router.

    I imagine I can create a static route on the 172 router, or I can advertise a default route from lower PFS... or make a static route on lower PFS and advertise connected... but I am uncertain of where the Phase 2 networks are being forwarded to....

    FW rules arent a factor here, wide open.
    I am sure this has been dealt with, anyone have a best practice?

    0_1544138137158_20181206_162658v2.jpg



  • I did go to the 172 router and add a default route of the lower PFS... and it works, but there are a few PFS connected to each other off the lower PFS, all via OSPF. I didnt want to use static as if lower goes away, the static may blackhole and not use other ABR's.