Technical Note: How to route specific local subnets to the Internet through a remote VPN gateway

Local gateway for 80C: wan1 (not shown)
VPN tunnel name on 80C: 80C
Local interface for 80C: wan2
Remote gateway for VM: port1
Local interface for VM: port2 (not shown)
VPN tunnel name on VM: VM

• Create a default static route to the VPN interface.  Assign equal distance, but less priority (less preferred) to the local default gateway (ISP) and higher priority to the  IPsec default route (for example distance = 10 on the two different default routes, priority on local default gateway = 0, priority on the IPsec default gateway = 5).
  
  
• Create a policy route to forward the traffic from the local interface subnet 10.31.0.0/255.255.252.0 to the VPN interface. Configure gateway : 0.0.0.0 and destination address: 0.0.0.0/0.0.0.0
  
  
• Create a normal policy to allow connection from the VPN local subnet to the VPN interface, with destination ADDRESS: ALL

• Create a normal policy to allow connection from the VPN interface to the Internet-facing interface (VM machine, port1).  Source address: all, destination address: all, NAT enabled.

The 80C device does not have access to the Internet.  Users (10.31.0.0/255.255.252.0) on the local subnet of 80C device have to go out to the Internet via VPN tunnel, through the VM device.

On the 80C.

(a) Static route:

config router static
edit 1
set gateway 10.108.19.254
set device "wan1"
next
edit 3
set priority 5
set device "80C"
next
end

(b) Policy route:

config router policy
edit 1
set input-device "wan2"
set src "10.31.0.0/255.255.252.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "80C"
next
end

(c) Firewall policy to allow connection from local subnet on the 80C to destination address 'all' to the Internet, via the VPN interface 80C:

config firewall policy
edit 4
set srcintf "wan2"
set dstintf "80C"
set srcaddr "80C_local"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: 80C (Created by VPN wizard)"
next

On the VM machine:

(a) Firewall policy to allow connection on the VM device; from the VPN interface VM, to the Internet:

config firewall policy
edit 4
set uuid ef65eccc-08b9-51e7-5630-60793823c5e0
set srcintf "VM"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Debug flow for 10.31.1.44 (taken on the 80C device) for traffic going out to the Internet, via the IPSec tunnel:

2017-03-14 14:41:47 id=20085 trace_id=3 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 10.31.1.44:1->4.2.2.2:8) from wan2. code=8, type=0, id=1, seq=8."
2017-03-14 14:41:47 id=20085 trace_id=3 func=init_ip_session_common line=4569 msg="allocate a new session-00dce6be"
2017-03-14 14:41:47 id=20085 trace_id=3 func=vf_ip4_route_input line=1586 msg="Match policy routing: to 4.2.2.2 via ifindex-16"
2017-03-14 14:41:47 id=20085 trace_id=3 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-4.2.2.2 via 80C"
2017-03-14 14:41:47 id=20085 trace_id=3 func=fw_forward_handler line=671 msg="Allowed by Policy-4:"
2017-03-14 14:41:47 id=20085 trace_id=3 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-80C"
2017-03-14 14:41:47 id=20085 trace_id=3 func=esp_output4 line=897 msg="encrypting, and send to 10.108.16.148 with source 10.108.17.45"
2017-03-14 14:41:47 id=20085 trace_id=3 func=ipsec_output_finish line=232 msg="send to 10.108.16.148 via intf-wan1"
2017-03-14 14:41:47 id=20085 trace_id=4 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 4.2.2.2:1->10.31.1.44:0) from 80C. code=0, type=0, id=1, seq=8."
2017-03-14 14:41:47 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-00dce6be, reply direction"
2017-03-14 14:41:47 id=20085 trace_id=4 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.31.1.44 via wan2"