In policy-based VPNs, you can redirect traffic from one VPN tunnel to another VPN tunnel through a hub gateway.
Before you begin
You must have a policy-based VPN configured. If VPN client traffic is forwarded, you must configure virtual IP addressing for VPN clients.
Redirecting traffic between VPN tunnels is especially useful for VPN client users who need access to resources at different locations. When you redirect traffic between VPN tunnels, users do not
have to separately connect to different gateways.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
On the Site-to-Site VPN tab of the Policy-Based VPN editing view, place the forwarding hub gateway at the top level of the Central
Gateways list.
-
Place the gateways that are contacted through the hub under the hub gateway.
Note: Duplicate tunnels are not allowed. There must not be site-to-site connections between the hub and the other gateways in other active VPNs.
-
Add a Site element that contains the IP addresses behind the spoke gateways under the hub gateway.
-
Set the
Mode of the Site element to
Hub.
-
Disable the Site element in any other VPNs where it is used.
The protected IP addresses are behind the spoke gateways.
-
To forward VPN client traffic, add a Site element that contains the virtual IP address space used for the VPN clients under the hub gateway.
-
Add Access rules that forward the traffic between tunnels.
-
Refresh the policies of all firewalls involved in the VPN, starting from the firewall that acts as the hub gateway.
Optionally, all traffic (including Internet traffic) can be routed through the hub gateway.