https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76225#M42217 <P>yopu can set up a end to end IPSec&nbsp;tunnel on your secondary link and then have a pbf rule that directs all traffic to your primary link with a monitoring profile that disabled the pbf if the monitor fails, then have a static route (or a second pbf rule) direct traffic into the IPSec tunnel</P> Tue, 12 Apr 2016 10:25:56 GMT reaper 2016-04-12T10:25:56Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76201#M42210 <P>Hello PAN Live Community,</P> <P>I'm looking at having a redundant link to a given set of destination (servers) over an IPSEC tunnel when primary WAN link goes down.</P> <P>What is the best way to do this ?</P> <P>PBF ?</P> Mon, 11 Apr 2016 23:26:17 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76201#M42210 mpgioia 2016-04-11T23:26:17Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76223#M42215 <P>Ok, something is confusing: you have non-IPSEC connection to destination on primary WAN link and when that one goes down you want IPSEC connection to that destination on secondary WAN link? So backup connection&nbsp;will be more secure than primary connection?</P> <P>&nbsp;</P> <P>But yes, PBF rules are for such scenarios. Or in case with tunnel interfaces you can also use tunnel monitor functionality.</P> Tue, 12 Apr 2016 09:24:52 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76223#M42215 santonic 2016-04-12T09:24:52Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76225#M42217 <P>yopu can set up a end to end IPSec&nbsp;tunnel on your secondary link and then have a pbf rule that directs all traffic to your primary link with a monitoring profile that disabled the pbf if the monitor fails, then have a static route (or a second pbf rule) direct traffic into the IPSec tunnel</P> Tue, 12 Apr 2016 10:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76225#M42217 reaper 2016-04-12T10:25:56Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76233#M42220 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a> wrote:<BR /> <P>Ok, something is confusing: you have non-IPSEC connection to destination on primary WAN link and when that one goes down you want IPSEC connection to that destination on secondary WAN link? So backup connection&nbsp;will be more secure than primary connection?</P> <P>&nbsp;</P> <P>But yes, PBF rules are for such scenarios. Or in case with tunnel interfaces you can also use tunnel monitor functionality.</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> <P>IPSEC tunnel to that destination over <U><STRONG>Internet</STRONG></U> for backup.. not WAN link.</P> <P>So it's for connectivity sake.. not security sake.</P> Tue, 12 Apr 2016 12:28:14 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76233#M42220 mpgioia 2016-04-12T12:28:14Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76234#M42221 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> wrote:<BR /> <P>yopu can set up a end to end IPSec&nbsp;tunnel on your secondary link and then have a pbf rule that directs all traffic to your primary link with a monitoring profile that disabled the pbf if the monitor fails, then have a static route (or a second pbf rule) direct traffic into the IPSec tunnel</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> <P>If I disable the pbf when primary/WAN link goes down (via monitor configuration), won't the IPSEC site-to-site then immediately take over (without any configuration/traffic engineering such employing another pbf or static route) as that route will be the only available/remaining in the routing table for the given destination networks ?</P> Tue, 12 Apr 2016 12:30:59 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76234#M42221 mpgioia 2016-04-12T12:30:59Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76243#M42228 <P>Yes, once the PBF rule will be disabled&nbsp;when the primary link goes down, static route will take over immediately. But you need to have such&nbsp;static route for directing desired traffic into correct tunnel interface.&nbsp;</P> <P>&nbsp;</P> Tue, 12 Apr 2016 13:19:34 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76243#M42228 santonic 2016-04-12T13:19:34Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76245#M42229 <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a> wrote:<BR /> <P>Yes, once the PBF rule will be disabled&nbsp;when the primary link goes down, static route will take over immediately. But you need to have such&nbsp;static route for directing desired traffic into correct tunnel interface.&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Makes sense.. Thanks so much !</P> Tue, 12 Apr 2016 13:39:13 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76245#M42229 mpgioia 2016-04-12T13:39:13Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76248#M42232 <P>Or... even easier.. not do a PBF.. and just do a floating static (influence administrative distance) over the IPSec site-to-site... ?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Apr 2016 13:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76248#M42232 mpgioia 2016-04-12T13:43:39Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76301#M42254 <P>Yes, bu what will make primary route be deleted? You can lose connectivity but interface status remains up.&nbsp;</P> Wed, 13 Apr 2016 06:09:00 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76301#M42254 santonic 2016-04-13T06:09:00Z https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76302#M42255 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a> wrote:<BR /> <P>Yes, bu what will make primary route be deleted? You can lose connectivity but interface status remains up.&nbsp;</P> <HR /></BLOCKQUOTE> <P>Understood.. given the fault scenario and permutations/combinations of fault.</P> <P>Floating static alone might be enough.. and in other scenario's monitoring on a PBF might be needed.</P> <P>&nbsp;</P> <P>I have enough to build my traffic engineering anyhow.. Thanks all.</P> Wed, 13 Apr 2016 06:18:33 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ipsec-tunnel-as-redundant-link-to-a-destination/m-p/76302#M42255 mpgioia 2016-04-13T06:18:33Z