Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple tunnel error. The remote gateway "x.x.x.x" is already used by phase1

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      klajosh2
      last edited by

      Hello,

      I would like to setup a redundant vpn connection between two sites.
      SiteA has 1 internet connection, SiteB has 2 internet connections.
      I want to setup 2 separate vpn tunnel between SiteA and SiteB.

      Small diagram of the network:

      |SiteA| –--- |Internet| ----- |SiteB|
                            \        /       
                              \ –---/

      The problem is when I am configuring ipsec on SiteB I got this error:

      The following input errors were detected:
          The remote gateway "x.x.x.x" is already used by phase1 "VPN S2S TRANSPORT2"."

      How can I solve this problem? I have to use this ip address as remote gateway since I do not have
      more than one public ip address.

      (additional info: I would like to use OSPF for load balance so moreover I would like to use GRE in ipsec tunnel
      and that is why I need to setup ipsec vpn in transport mode)
      Thanks for you help,

      klajosh
      ps.: if I was not clear please ask.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can't do it that way unless you have a second IP address on the other side.

        It needs to add a static route to the other peer to make sure the right WAN gets used, and it can't add a static route for the same IP on both WANs. It just doesn't work that way.

        Some code was committed to 2.1 in the last week to do dynamic IPsec failover, it might be worth trying out.

        OpenVPN would have the same limit (re: static routes), at least in UDP mode, but that can be worked around in various ways with OpenVPN that would never work with IPsec.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          klajosh2
          last edited by

          Hi,
          Thanks for you reply. I have the same opinion. But I might have a workaround with openvpn.
          using site-to-site openvpn connection but with different udp port numbers.
          Because the topology above is just part of the network the real network looks like this:

          |SiteB|   
                        A  B     
                        A  B     
                        A  B     
                        A  B     
          |SiteA|–---|INTERNET|
                        C  D     
                        C  D     
                        C  D     
                        C  D     
                      |SiteC|

          (A,B,C,D,- are internet links)

          SiteA has 1 internet link, SiteB,SiteC have 2 internet links. I want to use all the links to have redundancy between the two satellite sites (SiteA,SiteB)
          and  the central site: SiteC. What I have done so far: I created site-to-site openvpn tunnel between SiteB using A link and SiteC C link and between SiteB A
          link and SiteC D link. So far this works fine. SiteC is the openvpn server SiteB,SiteC will be the openvpn clients. For failover I am using quagga's ospf.
          So do you think this could work?

          Thanks,

          klajosh

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.