Transiting two different firewall zones over vti


Experts, I have a situation I could use some help on. I posted a couple of days ago (now deleted) about tunneling public IP addresses to machines on the other side of an IPSEC VPN. I was initially playing games with firewall rules and NAT, but had come to realize since I was already using OSPF, it was probably easier to break down a subnet and route it.

So I have that set up, but now a problem. I use firewall zones and have public, dmz, private and router zones created. The vti for the IPSEC VPN has previously been added to the private zone, but as such, it cannot route traffic for the DMZ or vice versa. I had wanted to put a vif on the vti to VLAN the traffic, but that wasn’t an option either.

What other options do I have? I would like to avoid setting up another IPSEC tunnel for administration reasons, but if that’s the only way to do it, I guess I need to know that. Also, if the beta has features that might solve my issue more easily, I would love to know about them. I don’t know that I can move to it due to production status of these routers, but it would be good to know.

Thanks kindly for any insights!



Can a single IPSEC VPN have multiple VTI tunnels in it? If it can’t , you can fall back to 2 GRE tunnels , both encrypted alongside each other in a sinlge IPSEC tunnel