> OK. Now I gt it. First, you will never need to put static routs in the
> PCs. Just good routes in the firewalls. Second, you can not add static
> routs to a VPN link. So that means that each firewall needs a VPN or
> direct route to each other firewall. If you add VPN links from FW2 and
> FW3 to FW1B over the cable modem, yous should be set. You will not need
> to add static routes to FW1A or FW1B as they share a subnet, and will
> have the routes generated by the VPN internally.
> Does this help?
> Nice and simple but unless I'm missing something I don't think it would
work. The remote firewalls FW2 and FW3 would have no idea of which VPN
tunnel to use (FW1A or FW1B) since they both share the same subnet (
10.100.1.0/24). Obviously I can split the site into subnets (10.100.1.0/25and
10.100.1.128/25) or something like that, but at that point I'd rather deal
with static routes on the client PCs. Am I missing something here, or is
there some way to make the above work?