I have an organization with routed hub and full-tunnel configuration.
This one works well until one of network have to use split network. So, I unchecked Default route option in Site-to-Site VPN configuration. But it still works as full-tunnel VPN.
I can understand why this is happening. Every site that participates in VPN network always gets default route from Center MX, and it overwrites site's default WAN route despite of Default route is unchecked because AutoVPN route's priority is higher.
But problem starts here.
Based on my prior knowledge, I excluded 0.0.0.0/0 from Center MX to not to advertise it via AutoVPN, so it won't take over default route when site's Default route setting is disabled.
- Site1 : Default Route -> Hub
- Site2 : Default Route -> WAN Uplink
- Center MX : Default(0.0.0.0/0), Internal Summary -> Center L3 (In VPN No)
As soon as I saved this configuration, Site1(Default route is checked) cannot use Internet. Only able to use advertised summary network. Site2(Default route is unchecked) is okay.
So, I've captured packet from Center MX, and traffic from Site1 is coming from Site-to-Site VPN interface, but reply traffic is going towards LAN interface.
Therefore, it seems that "VPN Participants" option in Site-to-Site VPN decides not only "selects which network/route will be advertised via VPN" also "decides which traffic is VPN traffic". Why this is happening?