Hub-and-Spoke IPsec VPN Issue
We're trying to replace a Cisco ASA at our main office with a Firebox, but I'm having trouble figuring out how to route IPsec VPN traffic from one remote subnet to another remote subnet through it (i.e. a hub-and-spoke topology, or what WatchGuard seems to refer to as "tunnel switching"). At this page:
it looks pretty self-explanatory: You just add the remote subnet or subnets to the Tunnel Route Settings for the tunnel. So, for example, our main office is 192.168.0.0/24, our two branch offices are A) 10.1.0.0/16 and 10.2.0.0/16, and therefore the tunnel route settings for A would include 192.168.0.0/24 <===> 10.1.0.0/16 and 10.2.0.0/16 <===> 10.1.0.0/16, while the tunnel route settings for B would include 192.168.0.0/24 <===> 10.2.0.0/16 and 10.1.0.0/16 <===> 10.2.0.0/16. However, this isn't working for us: The tunnel between the main office and each branch office comes up just fine, but the two branch offices are unable to communicate with each other.
Each branch office endpoint is a Cisco ISR router, configured to forward traffic destined for both the main office and other branch offices over the tunnel to the main office, and this worked for years with our Cisco ASA, I just can't get it to work with the Firebox. Anyone have any ideas? Thank you for very much for your help!