topic Re: Two VPN Tunnels in Firewall and Security Management

Two VPN Tunnels

madu1 — Sat, 10 May 2025 11:14:22 GMT

I'm looking for some pointers please. I've read through various posts on here about two VPN tunnels but I haven't found anything yet that addresses my scenario.

GW-A on Site 1.

GW-B on site 2.

Managed by the same SmartCenter. Gateways are 3600's. Everything is R81.20 T99

GW-A on site 1 is connected to an ADSL line with a static IP.

GW-B on site 2 is a cluster. Using business Starlink (with a single static IP). This plugs into a Cisco C1111 which picks up the Starlink public IP. The LAN side of the C1111 is RFC1918 via a switch in order to connect both cluster members. The C1111 port forwards everything to the cluster's RFC1918 IP. Default Gateway on the cluster is the LAN side of the C1111. Internet works a treat.

I created a VPN between the sites using VTI. In order to do this I had to set the IPsec "link selection" to use the statically natted IP - the Starlink public IP. That VPN works a treat.

Now we've just got a point-to-point circuit installed - layer 2. So GW-A and GW-B are now joined on different interfaces. GW-A is .1, GW-B is .254 on the same subnet. This works a treat.

I need to VPN between the gateways over the P2P circuit as the primary VPN, and have the Starlink route as a secondary/backup VPN. I'm struggling.

Each VPN on its own works fine, but I can't figure out how to get both up at the same time.

I see a couple of problems I'm struggling to overcome (there may be more?!). In no particular order:

1) I can't create a second VTI in Gaia because the "peer name" is already in use on the first VTI.

2) In order to get the P2P VPN up I need to remove the Starlink IP from Link Selection.

3) If I create interoperable devices for the P2P interfaces and use those names for the VTI, and put them in a community, the logs then fill up with "VTI 'vpnt12' failed to attach: Peer object name not found".

Diagram below to illustrate. The P2P circuit has Telco kit at each end but it's layer 2 so I didn't show the Telco kit on the diagram.

Does anyone know if there's a way to achieve this? Or do I have to forget the idea of a backup VPN via Starlink?

Re: Two VPN Tunnels

the_rock — Sat, 10 May 2025 11:32:14 GMT

Reading all you had said (great explanation btw), logically, at least in my opinion, the only way to have another VTI work in this case would be to have separate interoperable object, as it will never let you use the same one already referenced in another interface.

Andy

Re: Two VPN Tunnels

madu1 — Sat, 10 May 2025 16:27:37 GMT

Hi Andy,

Yeah I tried separate interoperable devices but that didn't play nicely... The logs have lot and lots of this (interestingly for both VTI's - 2 and 12, which puzzles me):

I reckon it'd be doable in a different way if both peer IPs were interfaces on GW-B instead of it being behind a NAT device 🙄

Re: Two VPN Tunnels

the_rock — Sat, 10 May 2025 16:33:47 GMT

Yea...what I attached and pointed to, it HAS TO match with exact name of interoperable object, even upper case matters.

Andy

Re: Two VPN Tunnels

CheckPointerXL — Sun, 11 May 2025 12:39:47 GMT

If you want both tunnels up I think R82 is the only solution... i think...

Re: Two VPN Tunnels

the_rock — Sun, 11 May 2025 13:50:32 GMT

Personally, I could not find workaround for this in my R82 lab, but maybe someone can prove me wrong.

Andy

Re: Two VPN Tunnels

PhoneBoy — Mon, 12 May 2025 19:44:22 GMT

You can't define two tunnels to the same destination.
Link Selection should allow for "failing over" between the connection methods, possibly using (Dynamic) routing.
R82 has both enhanced Link Selection and link monitoring and might be required to make this work.