Some site HQ through SRG20-20 and its branches though two USG2139 do IPSEC VPN connection, the branches can access the HQ, but the branches can’t mutual access though VPN tunnel.
1. Because the branches can access the HQ internal network, namely the configuration has no problem.
2. Check the ACL data flow which used to do IPSEC, found it is wrong:
One of the ACL is：
acl number 3000
rule 0 permit ip source 184.108.40.206 0.0.255.255 destination 172.17.0.0 0.0.255.255
The other ACL is：
acl number 3002
rule 0 permit ip source 172.17.112.0 0.0.3.255 destination 172.17.0.0 0.0.255.255
Through comparing, the second ACL’s designated address doesn’t contain the source IP address of the equipment which configured the first ACL, so can’t access, in order to realize mutual access, modify the first ACL to:
rule 0 permit ip source 220.127.116.11 0.0.255.255 destination 18.104.22.168 0.255.255.255
Modify the second ACL to:
rule 0 permit ip source 172.17.112.0 0.0.3.255 destination 22.214.171.124 0.255.255.255
Through testing, found it can realize the branches mutual access through VPN.
The ACL designated address when the branch do IPSEC data flow hasn’t contained the data flow to reach another branch.
When do IPSEC VPN, in order to realize the HQ and branches can communicate, the source needs to be defined to the detail network segment of the branch node, destination needs to be defined to all the network segment of the HQ and branches.