Hello,

We would like to implement full traffic routing from one of our remote sites (behind an MX68) to a Public WiFi provider through an existing IPsec VPN tunnel established in our central datacenter.

Current Architecture

• Remote site connected via SD-WAN (AutoVPN) to our central site

  • Remote MX: MX68 (Spoke)

  • Central MX: MX250 (Hub)

• Remote site LAN subnet: 192.168.50.0/25

• IPsec tunnel (Datacenter ↔ Public WiFi Provider)

  • Remote provider subnet behind IPsec: 172.21.0.0/30

  • Provider cloud equipment IP: 172.21.0.2

Current Status

• Traffic from the remote site (192.168.50.0/25) successfully reaches the central site through SD-WAN (AutoVPN).

• From the central site, traffic properly traverses the IPsec tunnel.

• We can successfully reach the provider subnet (172.21.0.0/30) from the remote site.

• End-to-end connectivity between 192.168.50.0/25 and 172.21.0.0/30 is working correctly.

Requirement

The Public WiFi provider will soon enforce traffic filtering.
Therefore, we must redirect all traffic originating from the remote site subnet (192.168.50.0/25) to the provider’s cloud equipment (172.21.0.2) through the existing IPsec tunnel.

In other words, we need to implement a source-based default route so that all outbound traffic from 192.168.50.0/25 uses 172.21.0.2 as next hop via the IPsec tunnel.

Issue Encountered

When attempting to configure a source-based default route on the MX, we receive the following error:

"There were errors in saving this configuration:
The source-based route 'UCOPIA' has an invalid next hop IP. The IP address 172.21.0.2 is not on a configured subnet."

It appears that the MX does not accept 172.21.0.2 as a valid next hop because it is not part of a locally configured subnet, even though it is reachable via the IPsec VPN.

Main Problem

We are unable to redirect all traffic from 192.168.50.0/25 to 172.21.0.2.

Route with 172.21.0.0/30 is kown and work with a ping !!!!