This question comes up often enough. I've asked a few times but never got down to fundamentals (my fault). So, I don't "know" the answer - even though it may have been "given" in the past. Here is a reference:
(The assumption is that there can't be an internet VPN set up directly between subnet #1 and subnet #3. Packets must pass through subnet #2 because e.g.:
- one of the VPNs is on an MPLS link and the other on an internet link.
- one of the VPN devices at subnet #2 is controlled by a 3rd party and a 3rd VPN going direct from #1 to #3 is not possible.
What I would like to see is a description of the packets something like this:
Packet is launched on subnet #1 destined for subnet #3.
Routes for subnet #3 send packet to VPN A device on subnet #1.
[If VPN A tunnel points to subnet #2 then how does it accept packets destined for subnet #3?]
assuming I know the answer to this, then:
Packet arrives at output to VPN A at subnet #2.
Routes for subnet #3 send packet to VPN B device on subnet #2.
[presumably there is a route on the VPN A device at subnet #1 that acts on the unencrypted packets in order to accomplish this?]
VPN B at subnet #2 forwards packet to VPN B at subnet #3 where it goes directly to the destination address.
I was told once upon a time that the VPN A tunnel would only accept traffic for subnet #2 .. period. Is this indeed a limiting factoid?
If I could understand the packet macro structure as above and the device's macro configuration then it would be more understandable and memorable.
I don't want to know some [brand] CLI commands. I want to know how this works in principle.