Settings for firewall FWB2

• Name: FWB2_FWA2_VTI in the example,
• IP address: 192.168.102.2 in the example,
• Mask: 255.255.255.252 in the example,

Even though the firewall performs routing in the filter policy (Policy Based Routing) in this configuration, a default route or an explicit static route to the remote network needsto be defined.

The first action that the firewall performs is indeed to check that it has a route to the remote site before looking up its filter policy. The absence of a route will result in packets being rejected.

Following the method described for firewall FWA1, create 2 routes that allow transporting return packets to the original firewall using the source MAC address.

Return route to firewall FWA2

• Gateway: create the network object corresponding to the virtual IPsec interface of firewall 2 on site A (FWB2_FWA2_VTI_GW with the IP address 192.168.102.1 in the example),
• Interface: select the local virtual interface defined for the IPsec tunnel between firewalls 2 on sites B and A (FWB2_FWA2_VTI in the example).

Enable the route by double-clicking in the Status column.

Return route to firewall FWB1

• Gateway: create the network object corresponding to firewall 1 on site B (FWB1 in the example),

NOTE
The MAC address of firewall FWB1 must be declared in this network object.

• Interface: select the interface on firewall FWB2 through which return packets will be transported to firewall FWB1 ("In" in the example).

Enable the route by double-clicking in the Status column.

• Action: Pass,

• Source hosts: LAN_Site_A in the example,

• Destination hosts: LAN_Site_B in the example,

• Destination Port: Any in the example,

• Peer: create an object corresponding to the public IP address of firewall FWA2,
• Local network: select the object corresponding to the local virtual IPsec interface (Firewall_FWB2_FWA2_VTI in the example),
• Remote network: select the object corresponding to the remote virtual IPsec interface (FWB2_FWA2_VTI_GW in the example).