Hi,
I have mine working by just using a single gateway entry with no identity hostnames, but proxy-identity must be configured or only one tunnel will pass traffic. So if I was to amend your config to look like mine, the amended sections would look like this,
Deleted local/remote-identity
Only one ike gateway statement, no gw2bar
set security ike gateway gw2foo ike-policy phase1
set security ike gateway gw2foo address 10.255.2.0
set security ike gateway gw2foo dead-peer-detection
set security ike gateway gw2foo external-interface reth5.0
Set vpn's to use same gateway
set proxy-id local and remote
set security ipsec vpn vpn2foo bind-interface st0.1
set security ipsec vpn vpn2foo ike gateway gw2foo
set security ipsec vpn vpn2bar ike proxy-identity local (local st0.1 tun IP Addr)
set security ipsec vpn vpn2bar ike proxy-identity remote (remote st0.1 tun IP Addr)
set security ipsec vpn vpn2foo ike ipsec-policy phase2
set security ipsec vpn vpn2foo establish-tunnels immediately
set security ipsec vpn vpn2bar bind-interface st0.2
set security ipsec vpn vpn2bar ike gateway gw2foo
set security ipsec vpn vpn2bar ike proxy-identity local (local st0.2 tun IP Addr)
set security ipsec vpn vpn2bar ike proxy-identity remote (remote st0.2 tun IP Addr)
set security ipsec vpn vpn2bar ike ipsec-policy phase2
set security ipsec vpn vpn2bar establish-tunnels immediately
This is just how I have mine working,
I haven't played around enough with other combinations to know what is possible or your exact setup, so can't guarantee anything but may help.
Original Message:
Sent: 10-20-2022 15:12
From: JOHN PEREGRIN
Subject: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances
Thanks for the reply -
As you suggested, I placed both into main mode on both ends, and set local-id/remote-id for both.
However, the end result is one tunnel flaps, the other tunnel does not come up.
Please see the attached config - see anything out of place?
set security ike proposal pre-g14-aes256-sha256 authentication-method pre-shared-keysset security ike proposal pre-g14-aes256-sha256 dh-group group14set security ike proposal pre-g14-aes256-sha256 authentication-algorithm sha-256set security ike proposal pre-g14-aes256-sha256 encryption-algorithm aes-256-cbcset security ike policy phase1 mode mainset security ike policy phase1 proposals pre-g14-aes256-sha256set security ike policy phase1 pre-shared-key ascii-text <redacted>set security ike gateway gw2foo ike-policy phase1set security ike gateway gw2foo address 10.255.2.0set security ike gateway gw2foo dead-peer-detectionset security ike gateway gw2foo local-identity hostname foo1set security ike gateway gw2foo remote-identity hostname foo2set security ike gateway gw2foo external-interface reth5.0set security ike gateway gw2bar ike-policy phase1set security ike gateway gw2bar address 10.255.2.0set security ike gateway gw2bar dead-peer-detectionset security ike gateway gw2bar local-identity hostname bar1set security ike gateway gw2bar remote-identity hostname bar2set security ike gateway gw2bar external-interface reth5.0set security ipsec proposal g14-esp-aes256-sha256 protocol espset security ipsec proposal g14-esp-aes256-sha256 authentication-algorithm hmac-sha-256-128set security ipsec proposal g14-esp-aes256-sha256 encryption-algorithm aes-256-cbcset security ipsec policy phase2 proposals g14-esp-aes256-sha256set security ipsec policy phase2 perfect-forward-secrecy keys group14set security ipsec vpn vpn2foo bind-interface st0.1set security ipsec vpn vpn2foo ike gateway gw2fooset security ipsec vpn vpn2foo ike proxy-identityset security ipsec vpn vpn2foo ike ipsec-policy phase2set security ipsec vpn vpn2foo establish-tunnels immediatelyset security ipsec vpn vpn2bar bind-interface st0.2set security ipsec vpn vpn2bar ike gateway gw2barset security ipsec vpn vpn2bar ike proxy-identityset security ipsec vpn vpn2bar ike ipsec-policy phase2set security ipsec vpn vpn2bar establish-tunnels immediatelyset security zones security-zone foo interfaces st0.1set security zones security-zone bar interfaces st0.2set routing-instances foo-vr instance-type virtual-routerset routing-instances foo-vr interface st0.1set routing-instances foo-vr routing-options static route 0.0.0.0/0 next-hop st0.1set routing-instances bar-vr instance-type virtual-routerset routing-instances bar-vr interface st0.2set routing-instances bar-vr routing-options static route 0.0.0.0/0 next-hop st0.2
------------------------------
JOHN PEREGRIN
Original Message:
Sent: 10-19-2022 05:44
From: Unknown User
Subject: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances
Hi John,
I'm sure somebody else will be able to provide a more helpful reply, but I always find any info is useful, so thought I'd let you know I have exactly the same setup as your diagram working, but I am not using dynamic-hostname, just static IP at both ends, so your issue may be with this part of the configuration, I haven't tried to do it that way before. However, the gateway will have a dynamic-hostname entry, which I believe must be configured as the local ID at the remote end, so I'm a bit confused by your diagram, which suggests you have more than one gateway statement as you have Foo and Bar.
Is it possible to post the relevant part your config, I'm not sure anyone will be able to resolve your issue from your diagram alone.
Original Message:
Sent: 10-18-2022 11:41
From: JOHN PEREGRIN
Subject: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances
This topic has been posted before but I have a slightly different scenario.
I had always thought you could build multiple tunnels from the same device TO the same device using the same source-gateway and destination-gateway as long as the tunnels were aggressive using dynamic-hostname.
1 tunnel comes up, but the other is getting 'No Proposal Chosen'.
Below is a simplified diagram - any input would be appreciated!
------------------------------
JOHN
------------------------------