VPN Mode and Gateway Endpoint Restrictions

In the BOVPN configuration, each VPN gateway endpoint includes these settings:

  • External interface
  • Interface IP address (Fireware v12.2 or higher)
  • Local gateway ID (local IP address or domain)
  • Remote IP address
  • Remote gateway ID

You cannot add two gateway endpoints that have exactly the same settings. You can add gateway endpoints that have some duplicate settings. The IKE version and gateway mode you configure in the Phase 1 settings determines which gateway endpoint settings you can set to the same value for multiple gateway endpoints.

If you want to use the same external interface and remote IP address in two gateway endpoints, you must configure the local and remote gateway endpoints to use IKEv1 in Aggressive mode, or use IKEv2.

For IKEv1 gateways configured in Main or Main fallback to Aggressive mode:

  • No more than one gateway endpoint can use the same external interface and remote IP address.

For IKEv2 gateways or IKEv1 gateways configured in Aggressive mode:

  • Multiple gateway endpoints can use the same local interface and remote IP address, as long as the remote gateway ID is different for each one.

These restrictions apply whether the gateway endpoints with duplicate settings are in the same gateway or different gateways. If you try to add gateway endpoints with duplicate settings to gateways configured in different modes, the more restrictive restriction applies.

See Also

Configure Manual BOVPN Gateways

Define Gateway Endpoints for a BOVPN Gateway