How I can ssh to branch router (i.e. BR200) or CVG (Central VPN gateway) ? So far I can only use console. I've seen ssh client in utilities, pretty slow (works only on CVG for me) and I would rather use external ssh client
You should be able to SSH onto a branch router over the VPN (i.e. to its assigned management interface), but you won't be able to SSH to its WAN (public) interface because by default interfaces in "wan" mode have a hardening policy applied to them which denies management services (SSH, TELNET, HTTPS etc.), even when they are enabled in the network policy.
On a layer-3 VPN Gateway, you will not be able to SSH directly to the eth0/eth1 interfaces because they are also in WAN mode.
There is an option to enable management access to WAN interfaces on a VPN gateway device. Select the device under the Monitor -> Devices -> VPN Gateways or Routers and choose Diagnostics -> Device WAN Access. This change applies to both Ethernet interfaces.
I wouldn't recommend enabling this unless the device is protected by another firewall.
I enabled on CVG , looks good ! Is there a way to enable only on internal eth1 ? Regarding branch router , how do I troubleshoot it when tunnel is down ? I can't connect ...Wait in fact I can see the same option Device WAN Access on branch router, what does it mean 'All firewall policy rules will be disabled' ? I guess it means only DEVICE WAN access related rules , right ?