Multiple tunnel error. The remote gateway "x.x.x.x" is already used by phase1
I would like to setup a redundant vpn connection between two sites.
SiteA has 1 internet connection, SiteB has 2 internet connections.
I want to setup 2 separate vpn tunnel between SiteA and SiteB.
Small diagram of the network:
|SiteA| –--- |Internet| ----- |SiteB|
The problem is when I am configuring ipsec on SiteB I got this error:
The following input errors were detected:
The remote gateway "x.x.x.x" is already used by phase1 "VPN S2S TRANSPORT2"."
How can I solve this problem? I have to use this ip address as remote gateway since I do not have
more than one public ip address.
(additional info: I would like to use OSPF for load balance so moreover I would like to use GRE in ipsec tunnel
and that is why I need to setup ipsec vpn in transport mode)
Thanks for you help,
ps.: if I was not clear please ask.
You can't do it that way unless you have a second IP address on the other side.
It needs to add a static route to the other peer to make sure the right WAN gets used, and it can't add a static route for the same IP on both WANs. It just doesn't work that way.
Some code was committed to 2.1 in the last week to do dynamic IPsec failover, it might be worth trying out.
OpenVPN would have the same limit (re: static routes), at least in UDP mode, but that can be worked around in various ways with OpenVPN that would never work with IPsec.
Thanks for you reply. I have the same opinion. But I might have a workaround with openvpn.
using site-to-site openvpn connection but with different udp port numbers.
Because the topology above is just part of the network the real network looks like this:
(A,B,C,D,- are internet links)
SiteA has 1 internet link, SiteB,SiteC have 2 internet links. I want to use all the links to have redundancy between the two satellite sites (SiteA,SiteB)
and the central site: SiteC. What I have done so far: I created site-to-site openvpn tunnel between SiteB using A link and SiteC C link and between SiteB A
link and SiteC D link. So far this works fine. SiteC is the openvpn server SiteB,SiteC will be the openvpn clients. For failover I am using quagga's ospf.
So do you think this could work?