Problem: Creating Redundant VPN Tunnel with the same Remote Gateway IP

[dbhagen]

Trying to create an additional (redundant) tunnel via Terraform but the CLI errors saying it's a duplicate:

Error: Error creating VpnIpsecPhase1 resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ The remote gateway is a duplicate of another IPsec gateway entry (AZ-ISP1-VPN)
│ object check operator error, -34, discard the setting
│ Command fail. Return code -34
│ 
│ 
│   with fortios_vpnipsec_phase1.AZ-ISP2-VPN,
│   on ctx-fortigate.tf line 143, in resource "fortios_vpnipsec_phase1" "AZ-ISP2-VPN":
│  143: resource "fortios_vpnipsec_phase1" "AZ-ISP2-VPN" {

The config is:

resource "fortios_vpnipsec_phase1" "AZ-ISP2-VPN" {
  name              = "AZ-ISP2-VPN"
  interface         = "ISP2-INT"
  ike_version       = 2
  local_gw          = "****"
  keylife           = 28800
  peertype          = "any"
  proposal          = "aes256-sha256"
  dpd               = "on-idle"
  dhgrp             = 2
  nattraversal      = "disable"
  remote_gw         = "****"  <-- matches an existing phase 1 for another tunnel via another ISP link
  psksecret         = "****"
  dpd_retryinterval = 10

[MaxxLiu22]

Hi @dbhagen ,

IPsec phase1 interface arguments "interface" "local_gw" and "remote_gw" can't be exactly same, you need to change at least one, if you want to add an additional (redundant) tunnel for backup tunnel, you had better change the interface in case the other tunnel is down.

Thanks, Maxx

[MaxxLiu22]

Hi @dbhagen ,

Is that solve your question? Let me know if you still have questions.

Thanks, Maxx