Site to Site tunnels not able to communicate with each other

‎12-19-2018 09:17 AM

We currently have two remote offices connected via site to site IPsec tunnels to our HQ. Our HQ SSG firewall has a site to site configuired for Azure. However the two remote offices are also connected, but cannot access Azure. I realize this could possibly be we may need to add a static route to each of the remote office firewalls, but im not sure.


I have tried several combinations including adding the remote Azure subnet as the Route and the Tunnel interface as the next hop, but I still cannot access anything from the remote gateways. 


Any assistance would be greatly apperciated. 


Re: Site to Site tunnels not able to communicate with each other

‎12-19-2018 05:26 PM

The traffic in this case has to travel through two vpn tunnels and have routes in both directions.

Azure > HQ > remote site


So Azure > HQ tunnel  needs to know about the remote site prefixes.  this will add some proxy-id pairs on the SSG and on the Azure side of the tunnel.

The Azure side must have a route to the remote sites through the tunnel

Security policies need to expand to permit the traffic across the Azure tunnel.


For the HQ > remote site tunnel if the standard route based tunnel is in place the only addition needed is the route on the remote side to the tunnel interface for the Azure prefix.

Secuirty policies on this tunnel also need to expand to allow the azure prefix


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)