Correct me if i'm wrong, but these routes I already have for VDOM-Links configuration. 

 

 

No, the routes(subnets) I wrote are the destinations of static routes. GW should be the opposite side IP of vdom-link. You must have assigned a /30 for each vdom-link. if sub-vdom has 10.0.0.2/30 the GW is 10.0.0.1 on the pub-vdom.

Ok, I have improved VDOM-Link configuration. I had no address (it was 0.0.0.0/0.0.0.0).

 

However, I don't quite understand the routing you wrote. Which interface should these entries be configured on?

 

For now on site B, VDOM Secure I add:

Dst 0.0.0.0/0; GW 10.0.0.1; Int vlink1

 

On VDOM Public:

Dst 172.4.255.0/24, GW 10.0.0.2; Int vlink0

 

vlink is VDOM-Link connected to VDOM Public and Secure. vlink0 is 10.0.0.1 (Public), vlink1 is 10.0.0.2 (Secure).

 

 

 

Looks correct. Then at least you should be able ping a device in 172.4.255.0/24 from the pub-vdom. 

Look again on diagram on first post. Ping from which pub vdom? ;) I need to connect on both ways: 172.1.255.0/24 with 172.2-4.255.0/24 172.2.255.0/24 with 172.3-4.255.0/24 172.3.255.0/24 with 172.4.255.0/24

You asked about routing only accross vdom-link. My suggestion was only for that part. So pinging from local pub-vdom to the local sec-vdom is covered by those routes.

If you haven't done for any routing between two pub-vdoms over the tunnel, that's the next thing you need to figure out. That part is the basic of any IPSec config/routing/policy as if those 172.16.2/4.0/24 were located at those pub-vdoms, which you can find many examples everywhere. Only difference is the local interface is not "internal" or other physical ports, but the vdom-links.

Then you can pass traffic between 172.16.2.0/24 to 172.16.4.0/24 as well as toward the internet.

Picture from first post shows the working configuration, so:

 

1. i have IPsec connection between Public VDOMs who has access to internet

2. i have working Inter-VDOM routing (Public - Secure)

 

To be done:

1. Inter-VDOM routing through IPsec tunnel and connect each VDOM to each other. Especially to connect Secure VDOMs. I want to use existing IPsec tunnel to do this.

 

I wrote this in my first post.

 

I already try to create static route and policies to do this but no luck. Even after correcting the Inter-VDOM configuration.

 

I seem to keep writing the same response again and again in the forum as you can find in search. Any IPsec related problem, if something is not directly connected at the termination point of IPSec, comes down to one of three components:

1) phase2 selector sets need to include the all traffic passing through. Your case, all 172.x.255.0/24 combinations. Easiest way is to change it back to the default 0/0<->0/0, which include every combinations.

2) routing THROUGH the tunnel for all subnets for BOTH directions. Make sure you see all subnets for all /24 at both pub pub-vdoms, half into the tunnel interface, and half to local interface/vdom-link. [get router info routing-t all]

3) policies at each section(vdom) allows the traffic for both directions.

 

Then most importantly, you need to know how to debug it if it doesn't work as you intend. Mainly two or three skill you need to learn:

0) check routing-table (get router info routing-t all)

2) sniffing packets at interfaces if the traffic is coming/going through the interface (diag sniffer packet <interface_name> '<expressions_for_filtering>' <output_format>. You can find examples/syntax on the internet. Just remember you have to disable asic offloading at the policies in case it's involved for VPN encryption for those pub-vdoms.

3) "flow debug" to find out WHY those packets are dropped or not going into the tunnel although sniffing shows it's getting into pub-vdom. You can search example/how to on the internet or this forum.