Hi All,
Existing setting:
HQ and the remote office are using site-to-site VPN to communicate. 96.0/20 traffic are routed via eth1/3.1 via the tunnel to remote site office.
192.168.96.0/20 <NS eth1/3.1> <ISP>......Site-to-Site VPN.....<ISP><eth0/2 NS> 192.168.130.0/24
New Setting:
We have added a new link (Fiber) and want to reroute those VPN traffic to the new Fiber.
192.168.96.0/20 <NS eth1/3.1><ISP>.........................................<ISP><eth0/2 NS> 192.168.130.0/24
<NS eth1/5><ISP>....................Fiber................<ISP><eth0/1 NS> 192.168.130.0/24
Issue:
HQ has implementated PBR with a 192.168.0.0/16. I added a more specific route 192.168.130.0/24 before this. HQ traffic cannot ping to the remote site after disable the tunnel.
1. Confirm the new link interface can be pinged on both netscreen.
2. HQ PC (192.168.98.82) cannot ping to FW new interface 192.168.230.1 and remote site interface 192.168.230.2.
3. RS PC (192.168.130.121) can ping to new interface 192.168.230.2 and remote site interface 192.168.230.1.
4. Tried to put the policy before pol-trust No 10 and found traffic were routed to Internet. (by tracroute)
5. Tried to put the policy after pol-trust No 10 and before 40, traffic are only shown '*' (by traceroute)
6. Tried to add a static route 192.168.130.0/24 next hop 192.168.230.2/29
7. Confirmed VPN tunnel is down when we were doing the re-route.