If I understand your setup right, you need to terminate the VPN on the Untrust interface in each case. This will provide a tunnel so that 172.16.20.0/24 and 172.16.30.0/24 can pass traffic to each other.

As you are using private IPs on Eth0/0 in each case, it is not possible to terminate the VPNs here,as to route to the other site, the traffic neeeds to go over the internet.

If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed but an Intra-zone policy (Trust to Trust) can be used.

So just change the tunnel interface to the trust zone for example :

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

The rest of the config would remain same.

Thanks

Atif

Hi,

I understand the issue correctly , you would like to bound the VPn to the trust interface so you need to change the following things:

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 policy is not needed but an Intra-zone policy (Trust to Trust) can be used .

The rest of the config would remain same.

Thanks

Atif

I understand what you are saying. Do we need to change ETH0/0 from NAT mode to Route mode?

Also, when you say Trust to Trust Policy that means tunnel.1 of FW1 to tunnel.1 of FW2.

Regards

RutledgeIT

"Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case "

Hi Atif,

The above comments were not for you. I know you have got my point and given me right suggestion.

Cheers !