topic Backup Internet with Ipsec VPN doing BGP in General Topics https://live.paloaltonetworks.com/t5/general-topics/backup-internet-with-ipsec-vpn-doing-bgp/m-p/1226984#M124056 <P>Hello,<BR /><BR />Mostly just need a sanity check on this configuration.<BR /><BR />I am setting up a backup internet for one of our hub sites as a failover.</P> <P>Currently the connection to the other primary sites is via a IPsec tunnel using iBGP to pass routes between the "Hub" sites as well as redist into OSPF for internal traffic and routing to spokes.<BR /><BR />The External VR has a default route to the primary ISP with path monitoring set to metric 10, and a second default route to the backup ISP on metric 100. <BR /><BR />I have created new tunnel interfaces, ike gateways and ipsec tunnels on both sides for the backup internet connection under a different subnet<BR /><BR />I am adding the second tunnel to the same Peer groups (one for each Hub Connection).&nbsp;<BR /><BR />From my understanding I shouldn’t need to worry about adjusting the new peers AS, MED, etc. in the peer groups as only one of the sessions could be alive at any given time due to the external routers default route metrics.<BR /><BR />Am I missing anything here, and even through I shouldn't have to set the new peers to only be used as a failover connection in BGP should I do it anyway?</P> Mon, 21 Apr 2025 15:26:57 GMT CaseyAnderson 2025-04-21T15:26:57Z Backup Internet with Ipsec VPN doing BGP https://live.paloaltonetworks.com/t5/general-topics/backup-internet-with-ipsec-vpn-doing-bgp/m-p/1226984#M124056 <P>Hello,<BR /><BR />Mostly just need a sanity check on this configuration.<BR /><BR />I am setting up a backup internet for one of our hub sites as a failover.</P> <P>Currently the connection to the other primary sites is via a IPsec tunnel using iBGP to pass routes between the "Hub" sites as well as redist into OSPF for internal traffic and routing to spokes.<BR /><BR />The External VR has a default route to the primary ISP with path monitoring set to metric 10, and a second default route to the backup ISP on metric 100. <BR /><BR />I have created new tunnel interfaces, ike gateways and ipsec tunnels on both sides for the backup internet connection under a different subnet<BR /><BR />I am adding the second tunnel to the same Peer groups (one for each Hub Connection).&nbsp;<BR /><BR />From my understanding I shouldn’t need to worry about adjusting the new peers AS, MED, etc. in the peer groups as only one of the sessions could be alive at any given time due to the external routers default route metrics.<BR /><BR />Am I missing anything here, and even through I shouldn't have to set the new peers to only be used as a failover connection in BGP should I do it anyway?</P> Mon, 21 Apr 2025 15:26:57 GMT https://live.paloaltonetworks.com/t5/general-topics/backup-internet-with-ipsec-vpn-doing-bgp/m-p/1226984#M124056 CaseyAnderson 2025-04-21T15:26:57Z