Hi again
Maybe the answer is obvious by most of you but I needed to know so i did further investigations.
So yes you can initiate an IPSEC S2S tunnel from an L2TP/IPsec tunnel.
The issue was for me the packet belonging to IPSEC tunnel were dropped so I finally understood.
If you remember my incoming L2TP is on the same interface as the outgoing IPsec S2S so the easy (lazy) way was to keep only one zone. It does not work!
I had to have 2 zones configured, one for the DialUP VPN (L2TP) and another for IPsec S2S
Then configure policy then all packets goes trough :
ZONE L2TP ZONE IPSEC
Dial-Up VPN S2S IPsec on SSG5
If your Dialup VPN get an IP from pool on same subnet as the IPSEC proxy –ID then you are done.
I was not my case I wanted to be on a different subnet for security reason as the connection can be initiated from anywhere.
On each remote (SSG5) site the configuration must be updated
• The most important update routing table L2TP IP pool going through tunnel.x
• Update every policy that is needed to allow L2TP IP pool
Here are my few words without pretention.