topic Re: Alternative Way for IPsec Tunnel in Palo Alto 850 in Next-Generation Firewall Discussions

Alternative Way for IPsec Tunnel in Palo Alto 850

soorajpmenon5 — Wed, 24 Jul 2024 09:43:45 GMT

Hello Team,

As I am studying Palo Alto and am a newbie, I have created a lab setup where I use BGP peering between a PA 850 and ISPs. The PA's IP, used for BGP peering, is also used for the IPsec tunnel. I discovered a vulnerability where an ISP outage results in no IP connectivity between the IPsec local and remote IPs, causing both Phase 1 and Phase 2 of the tunnel to go down. This setup is dependent on the ISPs.

Is it possible to:

Set up two IPsec tunnels from both ISPs in an IPsec active/standby configuration???
Is there any other easier way to accomplish the requirement?
FYI: No additional public IP interface on the PA.

I appreciate your response in advance!

Screenshot of design attached!!

Thanks,

Punk!

Re: Alternative Way for IPsec Tunnel in Palo Alto 850

soorajpmenon5 — Wed, 24 Jul 2024 09:46:18 GMT

Design!

Re: Alternative Way for IPsec Tunnel in Palo Alto 850

reaper — Wed, 24 Jul 2024 10:25:11 GMT

In this scenario your IP connectivity depends on BGP to move your IP addresses around when there is an ISP outage.

Do you also have 'local' IP addresses provided by the ISP? This would allow you to set up 2 ipsec tunnels using the 'normal' (non BGP) public addresses so your tunnels do not depend on the BGP IP being moved around (as that will always lead to a tunnel outage)

Re: Alternative Way for IPsec Tunnel in Palo Alto 850

soorajpmenon5 — Wed, 24 Jul 2024 15:09:42 GMT

Hello Reaper,

No more IPs. Thanks for the suggestion. Anyway it would be good to add a public interface(my public) on both sites and do the tunneling through that right. This way, there won't be any ISP dependency, and I'll have the redundancy of dual ISPs!

Thanks,

Punk