We have two networks connected with IPSEC. (172.29.46.0/24 with GW 172.29.46.1(FG 60c) & 10.0.0.0/24 with GW 10.0.0.95(FG 80c)). Traffic is routed properly between these networks over the IPSEC tunnel.
We have a separate GW in 172.29.46.0/24 network with IP 172.29.46.20 which is connected via SSH VPN to 172.29.83.0/24 network. This remote network’s GW is the 172.29.83.33. Traffic is routed properly from 172.29.83.32/27 network to 172.29.46.0/24 network.
We have set one Route on the GW 172.29.46.1 that routes all traffic towards 172.29.83.0/24 network through the GW 172.29.46.20. Thus traffic initiated from 172.29.46.0/24 network is routed properly to 172.29.83.0/24 over the SSH VPN tunnel through the GW 172.29.46.20.
We also have a Route on the GW 172.29.46.20 that routes all traffic towards 10.0.0.0/24 network through the GW 172.29.46.1. Traffic initiated from the 172.29.83.32/27 network is not routed properly to 10.0.0.0/24 over the SSH VPN tunnel through the GW 172.29.46.1 though. I can trace traffic leaving e.g. 172.29.83.40 - > reaching 172.29.46.20 -> reaching 172.29.46.1 and after that it times out. It seems that the traffic from the 172.29.83.32/27 network is routed properly till the GW 172.29.46.1 but cannot be pushed over the IPSEC tunnel. I can trace this traffic on the GW 172.29.46.1 but not on the GW 10.0.0.95.
On the contrary when I set I SNAT on GW 172.29.46.20 for source 172.29.83.32/27 to be NAT to 172.29.46.20 IP, traffic is routed properly to 10.0.0.0/24 network.(one way)
This makes me understand that the GW 172.29.46.1 doesn’t understand how to deal with traffic initiated from the 172.29.83.3.2/27 network comes without being NAT to its internal interface.
Supposing that all the Policies are in place what should we do in order to make 172.29.46.1 understand & deal with traffic coming from an “unknown” network. In my case the 172.29.83.0/24 network?