Re: I need branch network subnet to access the internet through HQ firewall
without going into greater detail here, this is a matter of routing and policies.
The hosts on BR port4 need to have their default route point to the tunnel. Easy to do if you employ DHCP. Even easier if you allow ALL internet traffic to go to HQ, that is, including from the subnet on port3. If needed, you can assign (random) IP addresses to both ends of the tunnel (in the phase1 setup) which you can use as the routing gateway then.
Then, in the VPN tunnel parameters, phase2, use wildcards for the networks (= '0.0.0.0/0'), instead of the known subnet addresses.
In BR, you will already have a policy from LAN/port4 to the tunnel, I guess.
In HQ, create an additional policy from tunnel to internet, enable NAT.
In HQ, you will already have a route to the BR network on port4, pointing to the tunnel, and a policy allowing LAN to tunnel, I guess.
Ede " Kernel panic: Aiee, killing interrupt handler!"