Hi All
I have some SSG hops with LANs over inet.
There is no direct connectivity between nodes J1 and J3.
But it's need to traffic exchange between LANs 1 and 3.
Route based VPN
J1:
set vpn "1-2" bind interface tunnel.1
set vpn "1-2" gateway "GW1-2" tunnel idletime 0 sec-level standard
set route 10.0.2.0/24 interface tunnel.1
set route 10.0.3.0/24 interface tunnel.1
J2:
set vpn "2-1" bind interface tunnel.1
set vpn "2-1" gateway "GW2-1" tunnel idletime 0 sec-level standard
set route 10.0.1.0/24 interface tunnel.1
set vpn "2-3" bind interface tunnel.2
set vpn "2-3" gateway "GW2-3" tunnel idletime 0 sec-level standard
set route 10.0.3.0/24 interface tunnel.2
J3:
set vpn "3-2" bind interface tunnel.1
set vpn "3-2" gateway "GW3-2" tunnel idletime 0 sec-level standard
set route 10.0.1.0/24 interface tunnel.1
set route 10.0.2.0/24 interface tunnel.1
All OK. I'm can go from 10.0.1.0/24 to 10.0.3.0/24 through transit hope on J2.
But now i need to move to Policy based VPN in some reasons.
Policy based VPN
J1:
set policy from "Untrust" to "Trust" "10.0.2.0/24" "10.0.1.0/24" "ANY" tunnel vpn "1-2"
set policy from "Trust" to "Untrust" "10.0.1.0/24" "10.0.2.0/24" "ANY" tunnel vpn "1-2"
J2:
set policy from "Untrust" to "Trust" "10.0.1.0/24" "10.0.2.0/24" "ANY" tunnel vpn "2-1"
set policy from "Trust" to "Untrust" "10.0.2.0/24" "10.0.1.0/24" "ANY" tunnel vpn "2-1"
set policy from "Untrust" to "Trust" "10.0.3.0/24" "10.0.2.0/24" "ANY" tunnel vpn "2-3"
set policy from "Trust" to "Untrust" "10.0.2.0/24" "10.0.3.0/24" "ANY" tunnel vpn "2-3"
J3:
set policy from "Untrust" to "Trust" "10.0.2.0/24" "10.0.3.0/24" "ANY" tunnel vpn "3-2"
set policy from "Trust" to "Untrust" "10.0.3.0/24" "10.0.2.0/24" "ANY" tunnel vpn "3-2"
I can't do policy from "Untrust" to "Untrust" with tunnel at J2.
How do i can reach 10.0.3.0/24 from 10.0.1.0/24?
Whether I should look towards the PBR?