topic Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this in General Topics

2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

din100 — Thu, 16 Nov 2023 09:10:50 GMT

Hi Guys hope this a quick one,

I have 2 ISPs want to use 1 for the site to site tunnels and 1 for the user internet

I have created 2 interfaces for 2 isps

interface 1/1 with 2.2.2.2 next hop 2.2.2.1 (isp for internet access some site to site )

interface 1/2 with 3.3.3.3 next hop 3.3.3.1 ( only for some site to site they only allow this ips)

Created a virtual router call VR1

routes for 0.0.0.0 2.2.2.1 metric 10

routes for 0.0.0.0 next hop 3.3.3.1 metric 10

I have NAT rules for Both ISPs

It's letting me select site to site with each ISP and internet works on the primary.

Not tested on the live environment it might not work or is their a better way to do this

Thank you.

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

din100 — Thu, 16 Nov 2023 10:38:08 GMT

I can't seems to edit it routes for 0.0.0.0 next hop 3.3.3.1 metric 20 not 10 as I posted above

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

TomYoung — Thu, 16 Nov 2023 10:45:24 GMT

Hi @din100 ,

The easiest way to accomplish your goal is to use a default route to 2.2.2.1 and host routes (/32) to 3.3.3.1 for each VPN peer. Routing to each IPsec tunnel interface (static or dynamic) will ensure the tunneled traffic is routed correctly.

You mentioned that the IPsec peers only accept the 1 IP address. So, you do not have to plan for IPsec redundancy. If you want redundancy for Internet traffic, you could follow this guide. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO

Thanks,

Tom

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

din100 — Thu, 16 Nov 2023 11:20:47 GMT

ok so you are saying remove routes for 0.0.0.0 next hop 3.3.3.1 metric 20

add each VPN peer like 7.7.7.7 next hop to 3.3.3.1

nice I will try it

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

TomYoung — Thu, 16 Nov 2023 12:27:09 GMT

Yes! Add each VPN peer host route like your example.

You can keep the 2nd default route with the higher metric. It will be used if the link goes down. You can also add path monitoring which will allow failover if the ISP has connectivity problems. My path monitoring configuration is different than the URL I posted. I do not ping the ISP gateway because occasionally the gateway can remain up when the Internet is down. I ping 2 public IP addresses and set the failure condition to all.

Thanks,

Tom

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

din100 — Thu, 16 Nov 2023 13:16:55 GMT

Good point our ISP gateway is inside our building :D. I will change it to google/cloudflair dns ips. thank you so much for your help

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

din100 — Fri, 24 Nov 2023 11:17:07 GMT

thank you again Tom, all worked like a clock work.