Hi, uncovered unexpected (to me) behavior with a mix of PepVPN, IPsec, static routes and OSPF, wondering if I’m missing something.
First a diagram:
Most of our sites are interconnected using PepVPN. OSPF routes propagate exactly as expected.
We have one remote site (called “remote datacenter” in this diagram) which only supports IPsec connectivity.
Site “A” has a pfSense which traditionally created the tunnel to the remote datacenter (and I see a mistake in my hastily put together diagram; that link is via OpenVPN instead of IPsec if it matters). Site “A” also has a static route on the Peplink at that site routing traffic through the pfSense and this route is advertised via OSPF.
Site “B” was recently added. It has a direct IPsec link to the remote datacenter. From within the Site B LAN (and for OpenVPN clients connecting to this site) packets sent to the datacenter network route directly over this IPsec link.
The rest of the network doesn’t. For example, a packet destined for the datacenter network originating from site “C” or “D” travels through site “A”.
It appears that while the Balance at site B knows of the route to the datacenter it is not advertising this route via OSPF.
A cursory look at the OSPF options on the site “B” router didn’t find a way to advertise the IPsec route via OSPF.