When creating a route-based VPN, sometimes a policy is necessary to allow traffic in/out of the tunnel. Below are a few configuration examples.
How do you determine if a policy is required when creating a route-based VPN?
Refer to example network diagram below:
When creating a route-based VPN, a policy is sometimes needed to permit/deny traffic in and out of the tunnel. What determines this is based on the security zone that the tunnel interface is assigned to. There are two instances where a policy is necessary:
- When the tunnel interface bound to the route-based VPN is assigned to a different zone than the user hosts
- When the tunnel interface bound to the route-based VPN is assigned to the same zone as the user hosts AND zone block is enabled.
- User hosts, Internet, and Tunnel interface are all in different zones.
Example for instance 1: In this example, the user hosts are located in the Trust zone and tunnel interface is assigned to the Untrust zone. Therefore, a policy is necessary to allow traffic in/out of the route-based tunnel since traffic flow is from Trust zone to Untrust zone and vice versa.
set interface ethernet1 zone trust
set interface ethernet1 ip 192.168.10.10/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 172.16.10.1/24
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3
set address trust "Trust_LAN" 192.168.10.10/24
set address untrust "Remote_LAN" 192.168.20.10/24
set ike gateway "IKE_Name" address 172.16.20.1 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha
set vpn "VPN_Name" gateway "IKE_Name" sec-level compatible
set vpn "VPN_Name" bind interface tunnel.1
set policy top from trust to untrust "Trust_LAN" "Remote_LAN" Any permit
set policy top from untrust to trust "Remote_LAN" "Trust_LAN" Any permit
save
Example for instance 2: In this example, the tunnel interface is assigned to the Trust zone AND zone block is enabled. Therefore, a policy is necessary to allow traffic in/out of the route-based tunnel even though traffic flow is from trust zone to trust zone.
set zone trust block
set interface ethernet1 zone trust
set interface ethernet1 ip 192.168.10.10/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 172.16.10.1/24
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1
set address trust "Trust_LAN" 192.168.10.0/24
set address trust "Remote_LAN" 192.168.20.0/24
set ike gateway "IKE_Name" address 172.16.20.1 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha
set vpn "VPN_Name" gateway "IKE_Name" sec-level compatible
set vpn "VPN_Name" bind interface tunnel.1
set policy top from trust to trust "Trust_LAN" "Remote_LAN" Any permit
set policy top from trust to trust "Remote_LAN" "Trust_LAN" Any permit
NOTE : If zone block is unset no policy is required.
Example for instance 3:
Note, the policy should be from the Trust zone to whichever zone that the tunnel interface resides. Thus the policy would have to be from Trust zone to VPN zone (not Trust to Untrust).
set address "Trust" "Local_LAN" 192.168.10.0/24
set address "VPN" "Remote_LAN" 192.168.20.0/24
set policy from "Trust" to "VPN" "Local_LAN" "Remote_LAN" Any permit
set policy from "VPN" to "Trust" "Remote_LAN" "Local_LAN" Any permit