| Solution | There may be a situation where an IPsec tunnel that has already been established with one WAN interface needs to be replicated for another WAN interface.
In order to accomplish this, either use the wizard or recreate the tunnel by entering all the information anew or follow the below document where using cli recreate the tunnel by pasting information which would be a faster method to replicate the tunnel.
Firstly, need to gather all the information about this IPsec tunnel from Cli and paste it on a notepad:
Phase1 information:
**config vpn ipsec phase1-interface**
edit "IPsecTunnel"
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
set remote-gw x.x.x.x
set psksecret ENC cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6
3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw==
next
end
Phase2 information:
**config vpn ipsec phase2-interface**
edit "IPsecTunnel"
set phase1name "IPsecTunnel"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "IPsecTunnel\_local"
set dst-name "IPsecTunnel\_remote"
next
end
Now, on a notepad make the following changes, Once this is done, paste the content on to cli:
**config vpn ipsec phase1-interface**
edit "IPsecTunnel2" <- Change the Tunnel name.
set interface "port5" <- Change port to the desired WAN port.
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
set remote-gw x.x.x.x
set psksecret ENC "
cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6
3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw==
"
next
end
For the PSK part, follow the instructions shown in the screenshot below to paste it:
**config vpn ipsec phase2-interface**
edit "IPsecTunnel2" ->>>Change the Tunnel name
set phase1name "IPsecTunnel2" ->>>Change the Tunnel name
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "IPsecTunnel\_local"
set dst-name "IPsecTunnel\_remote"
next
end
After, verify that the tunnel has been created from the GUI:
Before cloning the tunnel
After cloning the tunnel:
Get the information for static route and firewall policy:
**config router static**
edit 2
set device "IPsecTunnel"
set comment "VPN: IPsecTunnel (Created by VPN wizard)"
set dstaddr "IPsecTunnel\_remote"
next
end
**config firewall policy**
edit 2
set name "vpn\_IPsecTunnel\_remote\_0"
set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb
set srcintf "IPsecTunnel"
set dstintf "port2"
set action accept
set srcaddr "IPsecTunnel\_remote"
set dstaddr "IPsecTunnel\_local"
set schedule "always"
set service "ALL"
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
next
end
**config firewall policy**
edit 1
set name "vpn\_IPsecTunnel\_local\_0"
set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567
set srcintf "port2"
set dstintf "IPsecTunnel"
set action accept
set srcaddr "IPsecTunnel\_local"
set dstaddr "IPsecTunnel\_remote"
set schedule "always"
set service "ALL"
set comments "VPN: IPsecTunnel (Created by VPN wizard)"
next
end
After, clone/copy the firewall policies for the tunnel and change the tunnel interface to a new tunnel.
CLI:
**config firewall policy**
clone 1 to 3
clone 2 to 4
end
After, change the IPsec tunnel interface from the GUI or just paste the copied firewall policy with a modified IPsec tunnel:
**config firewall policy**
edit 2
set name "vpn\_IPsecTunnel\_remote\_0"
set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb
set srcintf "IPsecTunnel2" <- Change the Tunnel name.
set dstintf "port2"
set action accept
set srcaddr "IPsecTunnel\_remote"
set dstaddr "IPsecTunnel\_local"
set schedule "always"
set service "ALL"
next
end
**config firewall policy**
edit 1
set name "vpn\_IPsecTunnel\_local\_0"
set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567
set srcintf "port2"
set dstintf "IPsecTunnel2" <- Change the Tunnel name.
set action accept
set srcaddr "IPsecTunnel\_local"
set dstaddr "IPsecTunnel\_remote"
set schedule "always"
set service "ALL"
next
end
GUI:
Clone method
Similarly, clone or copy the static route and set the interface to the new Tunnel interface.
CLI:
**config router static**
edit 3
set device "IPsecTunnel2" <- Change the Tunnel name.
set dstaddr "IPsecTunnel\_remote"
next
end
GUI:
 |