Hello
I have a question about the configuration of the ipsec tunnel, in the article when the tunnel interface is created
"Optional) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32."
That "Optional" address, what should it be? from my network, anyone?
I also wanted to consult once the monitor profile was created to know if the tunnel is UP or DOWN, when I select "failover". How should the PBF rule be with another ISP? I am looking for the tunnel to be UP in case the principal no longer responds and performs failover.
Could someone explain to me?
Thank you!
Solved! Go to Solution.
Hello,
The tunnel interface could be anything. I use rfc1918 addresses that are carved into /30's so each side of the tunnel gets one. Then I have a static route (for monitoring only) to the other sides IP.
The monitor sends pings to the IP specified to verify if it is up or down. Check out this article about dual ISP's and PBF failover.
Cheers!
Hello Otakar.Klier
Thank you very much for your response, I would appreciate it if you could help me with the following, since I have not been able to advance
When I created the PBF and I had a main and a backup tunnel, in "Source" did I have to choose the "Trust" zone (LAN) or the "VPN" zone that was created for the tunnels?
In "Static Routes" I defined as follows
VR_RED_1
Destination: 192.168.2.0 (The other end network)
Interface: tunnel.1
Next Hop (Here I have not placed anything, should I put the IP default gateway for the output of ISP1?)
VR_RED_1_Backup
Destination: 192.168.2.0 (The other end network)
Tunnel interface
Next Hop (Here I have not placed anything, should I put the IP default gateway for the ISP2 output?)
Configuring IPSec Tunnel
VPN_Tunnel_1
Tunnel Interface: tunnel.1
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel
VPN_Tunnel_1_Backup
Tunnel Interface: tunnel.2
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE_Backup
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel
This may be the part that causes me the most trouble.
Tunnel interface configuration:
Tunnel.1
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1)
Security Zone: VPN_Zone
Tunnel.2
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1_Backup)
Security Zone: VPN_Zone
IKE_Gateway configuration
VPN_Tunnel_1_IKE
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 1
Local IP: (Local ISP)
Peer Address: (Peer ISP)
Pre-Shared Key: (key ****)
VPN_Tunnel_1_IKE_Backup
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 2
Local IP: (Local ISP Backup)
Peer Address: (Peer ISP Backup)
Pre-Shared Key: (key ****)
PBF Config:
Source Trust / LAN (is this correct?)
Destination: 192.168.2.0/24 (Destination network)
[] Negate selected
Forwarding:
Action: Forward
Egress Interface: Tunnel.2
[ ] Monitor
Profile: Failover_VPN_Tunnel
IP Address: 192.168.2.4 (any IP from a host at the other end)
[] Disable this rule if nexthop / monitor ip is unreachable - Selected
Thanks for everything and I apologize for the length of the message, it is that I am having problems to make this configuration and it has cost me something to understand.
Regards!
Hello,
I will do my best to answer. From what I have gathered you have a remote site and two ISP's at each site or only 2 isp's at the main site and one at the remote site?
When using PBF, these are used prior to anything in the virtual router. So if you have 2 ways to get somewhere, the primary path would be your PBF with the 'Disable' option and the backup route will be the static (if you point it at a tunnel, you dont need a next hop). You should not have static for both as this will not work correctly. Also not sure if its a typo, but you have the same IP for both tunnel interfaces, they should be different?
Hope that helps.
Hi Otakar.Klier
Thanks for your support!.
So in the PFB rule should I put the primary tunnel to execute this rule?
It would be ...
SOURCE: LAN
DESTINATION / APP / SERV. 192.168.2.0/24/any/any
FORWARDING
Action: Forward
Egress: tunnel.1
Next Hop: -
MONITOR
Profile: Failover_VPN_Tunnel
IP Adress: 192.168.2.4 (any IP from a host at the other end)
[] Disable this rule if nexthop / monitor ip is unreachable - Selected
Would this always leave the main tunnel? In case it fails, how would it reach the other? In the state of the tunnel, in the main the interface is shown in red, but it is connected at least on the east side and working correctly, what could it be?
I have 2 ISPs on both sites.
The IP addresses to configure the IKE Gateway are different from each one.
In the rule NAT_VPN_1 I placed Section "Translated Packet"
Eth1 / 1
IP: (ISP1)
In the rule NAT_VPN_1_Backup I placed Section "Translated Packet"
Eth1 / 2
IP: (ISP2)
Again thank you very much !!
regards
Hi
It has emerged me a doubt.
When I configure tunnel monitoring, in the part of:
MONITOR
Profile: Failover_VPN_Tunnel
IP Adress: 192.168.2.4 <--- This address should be the same as that configured in the tunnel interface? Network -> Intereface - Tunnel?
Regards!
Add tunnel interfaces to same subnet.
For example:
Site 1 - 192.168.2.1/30
Site 2 - 192.168.2.2/30
Hi Raido
Thanks for your answer
and then, when I trying to monitoring tunnel that "IP Adress" should be the same of the tunnel?
MONITOR
Profile: Failover_VPN_Tunnel
IP Adress: 192.168.2.1/30 <-
Regards!
Correct, the monitor IP will the the IP that the PAN will ping on the other side of the tunnel to verify that it is up.
Hi Otakar
So can it be any IP on the other side of the tunnel or should it be the IP that is assigned to the tunnel interface on the other side?.
regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!