Our company has severs in two locations -- our main office, and a colocation. We're getting ready to move one of our servers, a PBX, from our main office to our colocation for better service, but we've come across a handful of issues.
Each site has a Juniper SSG5 router, and their local subnets are connected via a site-to-site VPN and appropriate tunnel policies. The network diagram looks kind of like this:
Site A - Router A - Internet - Router B - Site B
10.1.0.0/24 10.1.0.1, 69.x.x.x 71.x.x.x, 10.0.0.1 10.0.0.0/24
Since Site A and Site B are on different subnets, the IP address of PBX B is going to have to change.
All of the phones at Site B, where the PBX is right now, are registered to PBX B. There are other sites that are connected to both locations via their own Site-to-Site VPNs. These phones are not the issue, because we can connect to them all either directly or remotely and configure them for the new IP address.
We also have phones in locations that are not connected to our offices via a Site-to-Site VPN. All of these phones are connecting to Router B. Router B has a VIP entry on its WAN interface routing SIP traffic (say, port 5060) to PBX B. We don't have direct access to some of these phones at the moment, and may not for a while (the people who use them are very, very inept with technology).
Even if we set up a VIP on Router A to point to the new IP address, the phones themselves are still pointing to Router B. Instead of losing service for these phones, we would like to be able to forward this SIP traffic on port 5060 across the VPN connection. In effect, instead of Router B forwarding port 5060 traffic to 10.0.0.x, we want to instead have Router B forward port 5060 traffic to 10.1.0.y. This is where our big issue comes in.
We already have another PBX at Site A (PBX A), and we're using it for testing. I set up a second VIP on Router B to forward port 5062 traffic to PBX A, but this is where we came across an issue. Router B cannot ping Router A's LAN interface (10.1.0.1). Any device behind Router B can ping 10.1.0.1, and any device behind Router B can ping any device behind Router A, but Router B cannot ping 10.1.0.1 and cannot ping any device behind it, including PBX A, which is where it's trying to forward this traffic.
Running a traceroute on Router B to 10.1.0.1 shows that it is ignoring its own VPN connection and instead is trying to connect to 10.1.0.1 over its WAN interface 71.x.x.x, which goes exactly as well as you would imagine.
What we're trying to do is have the Juniper tunnel ITS OWN traffic bound for a subnet connected via VPN over the VPN rather than over its WAN interface, just like it does for all traffic behind it. We have policies set in place that tunnel traffic from 10.0.0.0/24 to 10.1.0.0/24 over "Site A VPN", and I recently created one for VIP(eth0/0) to 10.1.0.0/24 over "Site A VPN", but for some reason, neither of these seem to include traffic routed from the Juniper itself.
Included below is the traceroute result:
Send ICMP echos to 10.1.0.1, timeout is 2 seconds, maximum hops are 32,
1 5ms 5ms 5ms 71.x.x.x
2 7ms 7ms 10ms 100.x.x.x
3 10ms 10ms 12ms 130.x.x.x
4 * * *
5 19ms 19ms 19ms 140.x.x.x
6 * * *
7 * * *
(etc)
17 * * *
18 * * Trace aborted
Any advice on how to resolve this issue would be very much appreciated. Thank you!
