Currenly all routing must take place on our core network. (due to backup ipsec tunnels and faster MPLS circuts) Here is what we want to do but I am not sure how to accomplish this. We have four IPsec Tunnels that we do not want to be routed to each other without touching the core network first. Our current setup has all four IPsec tunnels terminating on different tunnel interfaces but all on the same virtual router. (vr-ipsec) Traffic destined for the core comes over the vr-ipsec and out eth10 for the core. However traffic for a remote site comes down the same virtual router and back up the correct tunnel interface. Skipping the core all together. What we want to do is terminate all the tunnels onto an interface facing the core. Each tunnel interface will have its own IP address. The core will know how to get to each remote site via the assigned IP on each tunnel. I can draw pictures if needed. Thanks
... View more
Update: First I changed my VPN Tunnels to a newly created zone (IPSEC_Trust) and did the same thing for the 1/10 interface. Updated my any any rule to allow from and to IPSEC_Trust and also update my IPsec tunnels to the same Zone. This created mixed results. Some traffic was fitting the any any rule and other traffic wasnt. I did have both zones (ipsec_trust and trust) in the source and destination... would that fail? I then changed 1/10 interface back to trust. Updated my any any rule to allow from and to IPSEC_Trust and trust All untrust traffic from the remote site now works, and shows up as two sessions on the firewall. IPSec_Trust >> Trust Trust >> Untrust Is this the only solution for this?
... View more
I will try to draw this out the best I can and then ask my question. Remote Site (zone is trust, vrouter2, tunnel.1) <<>> Core network (zone is trust, Interface 1/10, vrouter2, layer3) Rule for this is any, any in both directions. The above is how all remote traffic flows. (all traffic hits the core) Core Network <<>> interface 1/9 (zone is trust, Vrouter1) <<>> Out to the web (zone is untrust, Vrouter1) What should happen: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 where it would match a rule, gets logged, and be passed out to the web. Here is whats happening: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 .... Nothing Happens. We cannot see a log or a deny at all. remote users cannot ping the 1/9 interface. My Originall suspicion is that the traffic is already assigned a session ID so PA drops the traffic. To fix this I would think I need to change my tunnel and tunnel to core(1/10) connection to be their own zone. Any ideas? I can provided more details if needed.
... View more