topic Re: Site to Site tunnel in General Topics

Site to Site tunnel

SebastianRM — Sun, 10 Mar 2019 13:44:33 GMT

Hello

I have a question about the configuration of the ipsec tunnel, in the article when the tunnel interface is created

"Optional) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32."

That "Optional" address, what should it be? from my network, anyone?

I also wanted to consult once the monitor profile was created to know if the tunnel is UP or DOWN, when I select "failover". How should the PBF rule be with another ISP? I am looking for the tunnel to be UP in case the principal no longer responds and performs failover.

Could someone explain to me?

Thank you!

Re: Site to Site tunnel

OtakarKlier — Mon, 11 Mar 2019 15:50:21 GMT

Hello,

The tunnel interface could be anything. I use rfc1918 addresses that are carved into /30's so each side of the tunnel gets one. Then I have a static route (for monitoring only) to the other sides IP.

The monitor sends pings to the IP specified to verify if it is up or down. Check out this article about dual ISP's and PBF failover.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps.html

Cheers!

Re: Site to Site tunnel

SebastianRM — Wed, 13 Mar 2019 13:18:14 GMT

Hello Otakar.Klier

Thank you very much for your response, I would appreciate it if you could help me with the following, since I have not been able to advance

When I created the PBF and I had a main and a backup tunnel, in "Source" did I have to choose the "Trust" zone (LAN) or the "VPN" zone that was created for the tunnels?

In "Static Routes" I defined as follows

VR_RED_1

Destination: 192.168.2.0 (The other end network)
Interface: tunnel.1
Next Hop (Here I have not placed anything, should I put the IP default gateway for the output of ISP1?)

VR_RED_1_Backup
Destination: 192.168.2.0 (The other end network)
Tunnel interface
Next Hop (Here I have not placed anything, should I put the IP default gateway for the ISP2 output?)

Configuring IPSec Tunnel

VPN_Tunnel_1
Tunnel Interface: tunnel.1
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

VPN_Tunnel_1_Backup
Tunnel Interface: tunnel.2
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE_Backup
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

This may be the part that causes me the most trouble.

Tunnel interface configuration:

Tunnel.1
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1)
Security Zone: VPN_Zone

Tunnel.2
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1_Backup)
Security Zone: VPN_Zone

IKE_Gateway configuration

VPN_Tunnel_1_IKE
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 1
Local IP: (Local ISP)
Peer Address: (Peer ISP)
Pre-Shared Key: (key ****)

VPN_Tunnel_1_IKE_Backup
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 2
Local IP: (Local ISP Backup)
Peer Address: (Peer ISP Backup)
Pre-Shared Key: (key ****)

PBF Config:
Source Trust / LAN (is this correct?)
Destination: 192.168.2.0/24 (Destination network)
[] Negate selected
Forwarding:
Action: Forward
Egress Interface: Tunnel.2
[ ] Monitor
Profile: Failover_VPN_Tunnel
IP Address: 192.168.2.4 (any IP from a host at the other end)
[] Disable this rule if nexthop / monitor ip is unreachable - Selected

Thanks for everything and I apologize for the length of the message, it is that I am having problems to make this configuration and it has cost me something to understand.

Regards!

Re: Site to Site tunnel

OtakarKlier — Wed, 13 Mar 2019 21:33:59 GMT

Hello,

I will do my best to answer. From what I have gathered you have a remote site and two ISP's at each site or only 2 isp's at the main site and one at the remote site?

When using PBF, these are used prior to anything in the virtual router. So if you have 2 ways to get somewhere, the primary path would be your PBF with the 'Disable' option and the backup route will be the static (if you point it at a tunnel, you dont need a next hop). You should not have static for both as this will not work correctly. Also not sure if its a typo, but you have the same IP for both tunnel interfaces, they should be different?

Hope that helps.

Re: Site to Site tunnel

SebastianRM — Thu, 14 Mar 2019 12:31:21 GMT

Hi Otakar.Klier

Thanks for your support!.

So in the PFB rule should I put the primary tunnel to execute this rule?

It would be ...

SOURCE: LAN

DESTINATION / APP / SERV. 192.168.2.0/24/any/any

FORWARDING

Action: Forward

Egress: tunnel.1

Next Hop: -

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 (any IP from a host at the other end)

[] Disable this rule if nexthop / monitor ip is unreachable - Selected

Would this always leave the main tunnel? In case it fails, how would it reach the other? In the state of the tunnel, in the main the interface is shown in red, but it is connected at least on the east side and working correctly, what could it be?

I have 2 ISPs on both sites.

The IP addresses to configure the IKE Gateway are different from each one.

In the rule NAT_VPN_1 I placed Section "Translated Packet"

Eth1 / 1

IP: (ISP1)

In the rule NAT_VPN_1_Backup I placed Section "Translated Packet"

Eth1 / 2

IP: (ISP2)

Again thank you very much !!

regards

Re: Site to Site tunnel

SebastianRM — Thu, 14 Mar 2019 12:57:38 GMT

It has emerged me a doubt.

When I configure tunnel monitoring, in the part of:

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 <--- This address should be the same as that configured in the tunnel interface? Network -> Intereface - Tunnel?

Regards!

Re: Site to Site tunnel

Raido_Rattameister — Thu, 14 Mar 2019 13:10:55 GMT

Add tunnel interfaces to same subnet.

For example:

Site 1 - 192.168.2.1/30

Site 2 - 192.168.2.2/30

Re: Site to Site tunnel

SebastianRM — Thu, 14 Mar 2019 17:16:45 GMT

Hi Raido

Thanks for your answer

and then, when I trying to monitoring tunnel that "IP Adress" should be the same of the tunnel?

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.1/30 <-

Regards!

Re: Site to Site tunnel

OtakarKlier — Thu, 14 Mar 2019 21:09:35 GMT

Correct, the monitor IP will the the IP that the PAN will ping on the other side of the tunnel to verify that it is up.

Re: Site to Site tunnel

SebastianRM — Fri, 15 Mar 2019 02:01:06 GMT

Hi Otakar

So can it be any IP on the other side of the tunnel or should it be the IP that is assigned to the tunnel interface on the other side?.

regards

Re: Site to Site tunnel

Raido_Rattameister — Fri, 15 Mar 2019 03:35:45 GMT

It can be any IP.

Re: Site to Site tunnel

OtakarKlier — Fri, 15 Mar 2019 14:37:26 GMT

Hello,

While it can be any IP. I always recommend you use one that is as close to the VPN endpoint as possible. So yes I would recommend the Tunnel IP.

reason:

Lets say I have the following:

switchA --PANA--VPN--PANB--switchB

If I use switchB's IP for the PANA monitoring, if that switch goes down/reboots the tunnel will fail over.

If I use PANB's IP for PANA monitoring, it will only fail over if the IP of PANB is not reachable.

Just my thoughts.

Re: Site to Site tunnel

SebastianRM — Fri, 15 Mar 2019 18:31:46 GMT

Hi Raido and Otakar

Thanks for your assistance, it is really useful

I have Tunnel 1 and Tunnel 2 (Backup). Both phases are OK, green, but in the main interface "Tunnel 1" the status appears in red.

I read this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTeCAK

Phase 1 - OK
Phase 2 - OK
Status = Red

"RED indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable."

I disabled the PBF policy and Tunnel 2, but traffic continues to come out of tunnel 2, I can not understand.

Would they know what it could be?

Re: Site to Site tunnel

SebastianRM — Fri, 15 Mar 2019 18:54:54 GMT

Here comes my doubt too

Network - IPSec Tunnels

IpsecTunnel.PNG

Here I put the profile and the IP address is that of a host that is 24 hours UP on the other side.

In the PBF

Policies - PBF

PBF.PNG

Here it is necessary to place

the IP address again if I choose the profile?

In "Destination" within the PBF should I enter the network address? or the address of the Gateway?

Example:
Network: 192.168.2.0/24
Gateway: 192.168.2.1/24

I do not understand well the operation of "Negate"

Re: Site to Site tunnel

OtakarKlier — Fri, 15 Mar 2019 19:44:10 GMT

Hello,

Negate just means 'Not Equal To' so lets say you want everything to route except a specific /24 you would enter that /24 network and select negate.

The monitor is just a ping so it can be anything. The PBF is a route so it needs to be the IP of the next hop router.

If the interface is Red, then its down and something is not happy, i.e. needs to be investigated.

Hope that makes sense.

Re: Site to Site tunnel

SebastianRM — Tue, 19 Mar 2019 18:28:27 GMT

Hi Otakar,

Thanks you so much for your assistance

Really it help me

its necessary the "negate" or if I don't check this happens something?

Thanks for the PBF, then I'll put the IP of the next router there.

Re: Site to Site tunnel

OtakarKlier — Wed, 20 Mar 2019 20:43:38 GMT

Hello,

So the Negate translates to "not equal to'. Let ssay you have 192.168.0.0/16 on your internal network. Now lets say you want all traffic 'except' a certain subnet(s). This is where you would use negate so that the rule is 'cleaner'

example:

i dont want the policy to apply to the following subnets: 192.168.199.0/24 and 192.168.66.0/25.

If you were to apply a 'Permit' policy you would have to list out all the subnets except those you dont want. So instead you use the Negate.

What this does is allows all subnets 'Except' the ones listed.

Hope that makes sense.