Hello,
I am having an issue with VPN Policy conflicting. To understand - it better lets look at the following:
10.1.1.1 [ ASA ] ======= tunnel ======== [ SRX ] ========== tunnel =========== [ Check Point ] 172.1.1.0
10.1.1.1 needs to be able to reach 172.1.1.0 subnet
Policy on SRX (VPN is policy based)
Policy 1: ASA to SRX (10.1.1.1 --> 172.1.1.0 Accept Encrypt ASA-SRX)
Policy 2: SRX to CP (10.1.1.1 --> 172.1.1.0 Accept; Encrypt SRX-CP)
The tunnels on both end come up, however traffic is only passed via ASA-SRX as for the tunnel between SRX and CP - the traffic fails (possibly since SRX is encrypting it using Policy-1 instead of Policy-2)
How can we overcome this issue? I was thinking of NATTING 10.1.1.1 on the SRX and have
Policy 2: SRX to CP (NAT_192.1.1.1 --> 172.1.1.0 Accept; Enc; SRX-CP)
Any other suggestions?