topic VPN Tunnels between two PA over an MPLS infrastructure in General Topics

VPN Tunnels between two PA over an MPLS infrastructure

SecurityConsultant — Mon, 30 Oct 2017 17:41:24 GMT

I have a scenario where I'm creating a VPN tunnel between two PAs. The infrastructure between the two PA is MPLS, each PA has two BGP links (Primary 50Mbps) and (Secondary 10Mbps). I'm terminating the VPN on the loopback of the PAs, however, i noticed that the VPN tunnel is initiated from the primary link (50Mbps) of the first PA and entering the second PA through Secondary Link (10Mbps). Using the BGP Import I made the primary neighbor with local preference and weight 110 and the secondary neighbor with local preference and weight 90. I thought this will force the VPN tunnel to use the primary links from both sides but it seems not working.

Any Advice?

Re: VPN Tunnels between two PA over an MPLS infrastructure

9t89m8fu — Tue, 31 Oct 2017 12:30:32 GMT

With this config you are only controlling the outgoing interface of each PA. This will not affect the incoming interface on the other side (assuming both links connect to the same provider and MPLS cloud).

You will want to prepend your advertisements out the secondary links to make sure incoming traffic is not received on them.

Re: VPN Tunnels between two PA over an MPLS infrastructure

SecurityConsultant — Tue, 31 Oct 2017 12:53:54 GMT

thanks for your reply,

I really didn't get what do you mean exactly, can you explain how to do this.

Re: VPN Tunnels between two PA over an MPLS infrastructure

OtakarKlier — Tue, 31 Oct 2017 18:55:10 GMT

Hello,

In the past I have had sites with multiple lines. What I did was to use OSPF between the two VPN endpoints with static routes and policy based forwarding.

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/use-case-pbf-for-outbound-access-with-dual-isps

Let me know if you have furher questions.

Cheers!

Re: VPN Tunnels between two PA over an MPLS infrastructure

SecurityConsultant — Thu, 02 Nov 2017 13:35:07 GMT

The solution was to use the wight to force the outgoing traffic to use the primary link by giving higher weight to the primary and to use MED to force the incoming traffic to use the primary interface by giving it lower MED.