Hi,
I've used Aruba Central to configure a site-to-site VPN in a group of 2 SD-WAN gateways to communicate a mixed admin/user network in a remote site with the local network at the GWs' site. I've also configured a public VRRP IP in the WAN VLAN so the remote site can "point" its configuration there and use that IP to establish the VPN. I come from a Linux background where all this made sense, but I think I'm not "translating" correctly to Aruba. I have two problems with this setup:
* I don't want the remote network to access all our local network without limits. However, if I set up the VPN as "trusted", no limits are imposed on the coming traffic; and if I don't set it up as trusted, no traffic is allowed at all. I figured the traffic would pass through the roles and ACLs that restrict the traffic in the destination VLANs, but it doesn't look like that. How should I do to limit the traffic coming from the remote site to our network?
* When the VPN is established from the remote site with the public VRRP IP, about a 40% of the traffic is lost. If I establish the VPN using one of the GWs' own public IP address, no traffic is lost. This is not desirable, as we'd like to use the VRRP IP for HA reasons. Is there any known issues when using a public VRRP IP address for site-to-site VPNs?
Thanks in advance.