Screen OS

Hello,

Trying to route both my internal network and DMZ network to a remote subnet over VPN, is the below possible:

set interface tunnel.4 ip unnumbered interface ethernet0/0 (internal)
set interface tunnel.5 ip unnumbered interface ethernet0/1 (DMZ)

set vpn "VPN" proxy-id local-ip 192.168.100.0/24 remote-ip 192.168.99.0/24 "ANY"
set vpn "VPN_DMZ" proxy-id local-ip 10.10.10.0/24 remote-ip 192.168.99.0/24 "ANY"

set vpn "VPN" gateway "T1_GW" no-replay tunnel idletime 0 sec-level standard
set vpn "VPN_DMZ" gateway "T1_GW" no-replay tunnel idletime 0 sec-level standard

set ike gateway "T1_GW" address x.x.x.x Main outgoing-interface "ethernet0/2" preshare "++++" sec-level standard
set ike gateway "T1_GW" nat-traversal
unset ike gateway "T1_GW" nat-traversal udp-checksum
set ike gateway "T1_GW" nat-traversal keepalive-frequency 240

set route 192.168.99.0/24 interface tunnel.4 preference 20
set route 192.168.99.0/24 interface null metric 100

set route 192.168.99.0/24 interface tunnel.5 preference 20
set route 192.168.99.0/24 interface null metric 100

Seems not to be working out...

Thanks for any assistance,

SRW

Actually you cant do it like that as the firewall will either load balance (if you have ecmp) or it will pick the first route in the table. There is no way for the FW to distingush between the traffic from dmz or internal based on destination routing.

In this case you have to go for source based routing so that traffic from DMZ will go to tun.5 and internal will go to tun.4. PBR would be another option which may have more flexibility depending on what you need in future.

Or you can use separate vrs, thats probably another solution