Untrust VPN to Untrust VPN using Policies

[SH3]

I am trying to create a hub and spoke VPN. I realize route based VPN's would be easier; however, the vendor for spoke A will not return my messages. Therefore, I need to move ahead with a Policy based hub and spoke. I only need 2 spokes (B and C) to go out spoke A. This thread will just talk about spoke A and B. Vendor for spoke A also setup the VPN on the 5XT hub.

I have not found any documents on setting up the policy based hub and spoke. I have created a single policy to go from untrust to untrust but it does not appear to work. No log entries are generated. Intra-zone block is off for the untrust zone. Using a 5XT on the Hub and spoke B. Spoke A is an unknown.

I almost think I need a separate VPN for traffic that will go from Spoke B to Spoke A. That way I can identify which traffic needs to travel from Spoke B to Spoke A.

Am I correct? Can anyone discuss this or help me?

Thank you,
Steven

 

[penauroth]

http://www.netscreenforum.com

Try posting a thread here. These guys may be able to help.

Paul

 

[SH3]

Hi Paul,
The vendor for spoke A called Tuesday to let me know they are no longer using VPN's in mid September. The entire program is moving to the Web. We will now wait until September and forget about the hub and spoke VPN. No doubt I will learn hub and spoke sooner than later.
Thank you,
Steve

 

[nossah]

Just FYI, Hub and Spoke can only be done using Route Based VPNs. They have some new documentation on setting up route based tunnels.

http://ns25-50-support.netscreen.com/netscreenknowbase/root/public/child/ns10113.htm?