Hi, I encountered a situation that may totally change my understanding of how IPsec works ..., I need you guys help to clear my doubts. Refer to the following topology:
HostA(70.36.241.106) -----SRX ----- Internet ----- ASA ---- Customer Internal network --- HostB(66.95.19.46)
Host A in my side needs to talk to host B in customer side securely over Internet, so we set up an IPsec tunnel between my VPN GW (SRX) and Customer's VPN gateway (ASA), in my side I have proxy-id local: 70.36.241.106/32 and remote 66.95.19.46/32 in IPsec config, I know in ASA side, crypto ACL is "permit ip host 66.95.19.46 host 70.36.241.106), everything is fine, IPsec P1/P2 came up, we can ping each other, everything, IPsec security association in my side clearly shows that only traffic between the two /32 hosts is being encrypted.
But when I traceroute from my side HostA to customer side Host B, I see RFC1918 hops behind customer VPN GW in traceroute output, I am baffled, I can understand that customer will use RFC1918 addresses in their internal network, but how could those TTL expiration ICMP packets get passed beyond their side ASA? the traffic obviously does not match the crypto ACL, and more importantly, why SRX would decrypt IP traffic not matching IPsec SA, I expect to see *s until the last hop in my traceroute output.
Please help...
