Policy based VPN….to MIP or not to MIP

  • We have some policy based VPNs on our firewall that are confusing me as to how they are even working.

    • We have a server sitting off the trusted interface with a private address.
    • On the untrust interface, there is a MIP defined for this server.
    • However, many of our policy based VPNs (which I didn’t create) were setup as “untrust” to “trust”, where the untrust IP is the customers IP address and the trust IP is the servers internal IP.

    Now here’s where it gets confusing….the IP address the customers have defined as our encryption domain (i.e the address they are defining for our server in their firewalls) is the MIP on the untrust interface…and it’s WORKING!  I also have several PB VPNs where the ‘trust’ object is the MIP, which I understand is really in the global zone and those work too.  Is the netscreen just smart enough to extrapolate the MIP/private address relationship when it’s processing these packets?

    This has me very confused.  For a policy based VPN, does the netscreen decrypt the packet, inspect the dest. IP, do a MIP lookup, and THEN match it to the policy based on the true destination?  How is IPSEC SA creation being handled given that the policy defines the encryption domain, and as the policy is written, it doesn’t match what the customer is using.  I’ve read the pdf’s on ‘order of operation’ for packet processing, but it doesn’t clearly address this scenario.

    Anyone know how this works?