L7 VPN SSL
L3 VPN GRE IPSEC
L2 VPN L2TP
GRE: Ethernet IP GRE IPX Payload
ip rout peer-site-subnet tunnel-name
tunnel: IP, Protocol, Source IP, Destination IP
Configuration Tip: IP/Zone->Tunnel->Route->Policy
interface tunnel1
ip add 192.168.3.3 24
tunnel-protocol GRE
source 1.1.1.3
destination 2.2.2.4
ip route-static 172.16.1.0 24 tunnel1
firewall zone dmz
add interface tunnel1
security-policy
rule name 1-2
source-zone trust
destination-zone dmz
source-address 10.1.1.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
service icmp
action permit
rule name 2-1.1
source-zone untrust
destination-zone local
source-address 2.2.2.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
service gre
action permit
rule name 2-1.2
source-zone dmz
destination-zone trust
source-address 172.16.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
service icmp
action permit
Packet after VPN encapsulation will not match security-policies any more but after decapsulation will walk through security-polices another round.
Analyze sessions to get relevant information before configuring deatiled security policies.
dis firewall session table
dis security-policy rule all
firewall packet-filter basic-protocol enable