VPN secario with three firewalls

  • Hi all,

    one question to following scenario:
    ssg1 ( -> internet -> ( ssg2 ( -> ( ssg3

    I want to configure a site-to-site vpn between ssg1 and ssg3 through ssg2.
    I I use the ip on ssg3 without ssg2 the vpn works.
    How do I have to configure ss2 for throughput?
    I configure a mip on ssg2 ( map to The policy allows ipsec. It seems that the tunnel (ssg1 - ssg3) bounce between up and down.
    What do I wrong?

    Kind regards & Thanks

  • This was my second thought. But with IKE and IPSec the tunnel is still bouncing. With any service in the policy the tunnel seems to be stable. Do I need any other protocol?

  • You need to allow ipsec in the policy and IKE . Because the first part of creating a vpn is the phase 1 which starts the IKE process then phase 2 creates IPSEC tunnel.

    also what does the log show on remote end ?