====== How to connect two Branches with a VPN Tunnel ======

<if !vpn>
^ :!: Your Internet Gate does not have VPN license. ^
| You need to purchase a VPN [[:license]] to be able to activate the VPN termination in your unit.\\ Only VPN pass-through is available otherwise. |
</if>

To create an equal (symmetric, non-client-server style) connection between say two branch offices, each having its Internet Gate, set up them as a non-[[vpn:easyclient|EasyClient]] client to the other respectively.

Both Internet Gates need to have static global IP addresses.

Both Internet Gates need to have different subnets for ET1.

On both Internet Gates:

  - Make sure the unit has a different subnet for ET1 than at the other (ET1 subnet) end. If needed, change ET1 subnet on the [[web_gui:network_page|Network Configuration]] page.
  - Click Add in the **VPN Connections** field on the [[web_gui:vpn_page|IPSec Overview]] page.
  - On the IPSec Settings page that appears, disable **Act as EasyClient** .
  - Enter the global IP address of the other Internet Gate in the **Remote Gateway IP Address** field.
  - Enter the same pre-shared key or certificate.
  - Enter the local subnet used at ET1 behind the other Internet Gate.
  - Click Apply.

Now all PC:s connected to ports ET1/2/3 of one Internet Gate can connect to all PC:s connected to ports ET1/2/3 at the other end. To be able to use port ET4 or AIR the connections need to be tweaked on the [[web_gui:vpn_advanced|advanced pages]].

:!: Both Internet Gates must have static IP addresses.