topic Re: Site to site tunnel routing issue in General Topics

Site to site tunnel routing issue

Joshan_Lakhani — Wed, 08 Jul 2020 18:44:13 GMT

I have 2 ISP. My site to site VPN is configured at on 1/10 (ISP A).I want to move my all vpn to other isp1/9(ISPB). Once i change is interface from ike gateway and add the virtual route toward (ISP B) tunnel is up but traffic is not passing through tunnel.when i ping from my PC toward destination ip traffic is still passing via (ISP A). When i check the route i found that destination ip goes from both virtual route old and NEW VR. As i have given my all traffic from inside route like 0.0.0.0--> ISP A NEXT hop. So i have configure the PBF for destination ip but still traffic passing via default IP address for ISP A. Is it behavior of paloalto please suggest.

Re: Site to site tunnel routing issue

BPry — Wed, 08 Jul 2020 19:35:34 GMT

@Joshan_Lakhani,

PBF doesn't work for anything originating/terminating on the firewall itself. You'll need to pass the traffic to your new VR through your route table and setup proper routing.

Re: Site to site tunnel routing issue

Joshan_Lakhani — Wed, 08 Jul 2020 19:58:46 GMT

thanks for reply

As my First VR configure like this 0.0.0.0/0 traffic toward ISP 1 nexthop.interface 1/10 (matric 10)

and back link configure like my NEW VR like 0.0.0.0/0 traffic toward ISP 2 NEXT hop interface 1/9 (matric 10)

As i have remove the tunnel route from FIrst VR and configure to New VR. When i see the traffic now traffic is passing from both VR.

Here Tunnel 105 is configured on interface 1/9

Re: Site to site tunnel routing issue

Retired Member — Thu, 09 Jul 2020 08:24:16 GMT

Hi @Joshan_Lakhani,

As I understood: two ISPs, two VRs. After you moved IKE Gateway from interface connecting to ISP A to interface connecting to ISP B the VPN Tunnel is "up" (SAs between peers are successfully negotiated) however traffic FROM your internal network TO remote network "behind" the VPN Tunnel is not passing through to the remote site.

I assume the Virtual Router "VR ADSL1 Internet VPN and LAN" (from the screenshot you provided) is the one to which "my PC" from your first post is connected to.

The beauty in design of Virtual Routers is that they are separated. Every one has its own routing table. Routing lookup you are doing are per-VR, not device-level. Traffic from your PC will "arrive" and use the routes present in the "VR ADSL1 Internet VPN and LAN"; as there is no specific route for the network behind the VPN route toward ISP, the default one, will be used to forward those packets.

You have to "push" the packets from "VR ADSL1 Internet VPN and LAN" to "VR for New ADSL" and from there - to the tunnel. Easiest solution to do so would be to add static route in the "VR ADSL1 Internet VPN and LAN" to

192.168.12.17/32 (or whatever the remote network behind tunnel is) with Next Hop - Next VR "VR for New ADSL".

PBF you mentioned is also an option - you would have to define a PBF Rule for Destination 192.168.12.17/32 (or whatever the remote network behind tunnel is) with egress interface tunnel.105 (basing on your screenshot).

I must mention that egress interface used in PBF Rule must have an IP address (does not matter what address, it is not actively used, any valid will do).

Personally I like to create three VRs for such a setup - one per ISP and one for Internal LAN then do traffic steering with PBF or static routes, where needed.

Re: Site to site tunnel routing issue

Joshan_Lakhani — Thu, 09 Jul 2020 10:34:54 GMT

thanks for reply

As i have configure two separate VR. One for ADSL Link and one for DHCP ISP. As i have add the static route for 192.168.12.17 towards DHCP(192.168.0.1) link in new VR but site traffic is passing from both VR. we have also changed the Matrices of the tunnel as well as for 1/9(ISPB) for a specific route but still the same.Traffic is passing from ADSL due to default route is configured on ADSL So, all the interface as well internet traffic is passing via ISP1 A.we have configure PBF for ISPB is this link is DHCP as the next hop is changed so we have configure as none, but still passing from ADSL Link.Please suggest

Re: Site to site tunnel routing issue

Retired Member — Thu, 09 Jul 2020 11:06:47 GMT

@Joshan_Lakhani,

I think you misunderstood me.

If "192.168.12.17" is the IP address behind the VPN tunnel, traffic inside the tunnel, not the IKE Peer (looks that way) then you have to direct it into the tunnel interface assigned to the tunnel (tunnel.109, I presume).

You have to direct the traffic to be tunneled through the VPN Tunnel into the tunnel interface or it will not be, err..., tunneled.

"As i have add the static route for 192.168.12.17 towards DHCP(192.168.0.1) link" - this is an error, will not work.

Re: Site to site tunnel routing issue

Joshan_Lakhani — Thu, 09 Jul 2020 13:15:43 GMT

thanks for you reply

As i found this KB

PBF does not function for IPSec Tunnel traffic to the Palo Alto Networks firewall.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbDCAS

Re: Site to site tunnel routing issue

Retired Member — Thu, 09 Jul 2020 13:32:17 GMT

@Joshan_Lakhani,

"PBF does not function for IPSec Tunnel traffic to the Palo Alto Networks firewall." - yes, but from what you wrote thus far it seems that it is not relevant to your situation because you are working on passing traffic from/through Palo Alto Networks firewall.

Also in mentioned KB:

"The PBF will only work for the traffic sourced from a machine behind the firewall and not for the traffic sourced from the firewall.".

Maybe a drawing of the topology...?

Re: Site to site tunnel routing issue

OtakarKlier — Thu, 09 Jul 2020 19:41:56 GMT

Hello,

I prefer to use 1 VR and OSPF to trade route information. If I have two paths, I just weigh the less desirable one heavier so its not used unless the other one is not available.

Regards,

Re: Site to site tunnel routing issue

Retired Member — Thu, 09 Jul 2020 20:46:09 GMT

@OtakarKlier,

In the 1 VR environment you lose a bit from the dual-ISP setup - precisely tying the PA-originating packets to the interface-ISP pair.

My most-loved is the 3 VRs setup with EBGP - most control and granularity, especially if VPN is setup with 3-rd Party 😉