11-11-2009 04:00 PM
When creating policy base VPN, I understand we need to create a tunnel interface for routing purpose.
Can we use the same tunnel for different site-to-site VPN, or I must have one tunnel per site-to-site VPN under policy based VPN.
Reason for asking is the SSG5 device only support 10 tunnels, so if I need one tunnel per site-to-site VPN, I am restricted to have maximum 10 site-to-site VPN as well.
Any comments ?
11-11-2009 04:35 PM
Actually, you have it backwards. Policy Based VPN's don't leverage tunnel interfaces, Route Based tunnels do. However, you can use NHTB (Next Hop Tunnel Binding) when configuring multiple route based VPN's per tunnel interface. The older approach is to use one tunnel interface per VPN, but as you mentioned has limitations based on the model.
Once scenario I come across a lot if people configuring Policy Based VPN's because they want to control traffic using Policy. You can do the same with Route Based VPN's, you just need to make sure the tunnel interface is bound to a zone other than "trust". I like to create a custom "vpn" zone and bind all my tunnel interfaces to it. That way when I create policy I use tust to vpn and vpn to trust. I hope this helps.
11-11-2009 04:46 PM
So for route based VPN say:
VPN 1 from local 192.x.x.x to remote 172.17.x.x via Gat eway1
VPN 2 from local 192.x.x.x to remote 172.17.y.y via Gateway 2
Even he above VPN has different remote gateway, under the 'Routing', 'Destination', I can have the same tunnel interface for both 172.17.x.x and 172.17.y.y, because the tunnel is binding to the same local interface ??
11-11-2009 04:54 PM
I would recommend reviewing the documentation for Route Based VPN's. I include the Screen OS 6.1 link below since this is a popular flavor of Screen OS these days. For this to work, you can bind the VPN's to the same tunnel interfaces, but you will need to create NHTB entries along with the proper routes. I hope this helps.