I have a router serving as a PPTP server, assigning remote user a ip in the local lan range. From the lan zone (zone_A), I can access another zone directly attached to the router (zone_B). The PPTP server runs on the external wan interface (zone_C). I have a zone pair allowing all traffic from zone_A to zone_B. and it work fine for the local clients really on the lan. However for the clients in PPTP, I have to add another zone pair B to C allowing GRE traffic ... which doesn't make sense (the pptp client should be considered as part of zone A ! the gre encapsulation is from self to C and shouldn't matter).
I'm trying to ping a host in zone B (10.2.0.2 = R3) from the PPTP client (R2) which has its Virtual Access in zone A.
(I'm typing 'ping 10.2.0.2' on a shell on R2)
When I do a "show policy-firewall sessions", I can see that the session is created under the right zone-pair ( A_to_B ).
And the forward packet (echo request from A to B) passes without problem. But the return packet (icmp reply from B to A), is actually somehow put into the B to C zone-pair as a GRE packet, which doesn't make sense to me since:
1) 'C' is the zone of neither the source or destination of that packet
2) The 'GRE' packet encapsulating the response is generated in the router itself and not coming from B and so should be classed as a "self to C" zone-pair packet.