Hello,

The tunnel interface could be anything. I use rfc1918 addresses that are carved into /30's so each side of the tunnel gets one. Then I have a static route (for monitoring only) to the other sides IP.

The monitor sends pings to the IP specified to verify if it is up or down. Check out this article about dual ISP's and PBF failover.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/use-case-pb...

Cheers!

Hello Otakar.Klier

Thank you very much for your response, I would appreciate it if you could help me with the following, since I have not been able to advance

When I created the PBF and I had a main and a backup tunnel, in "Source" did I have to choose the "Trust" zone (LAN) or the "VPN" zone that was created for the tunnels?

In "Static Routes" I defined as follows

VR_RED_1

Destination: 192.168.2.0 (The other end network)
Interface: tunnel.1
Next Hop (Here I have not placed anything, should I put the IP default gateway for the output of ISP1?)

VR_RED_1_Backup
Destination: 192.168.2.0 (The other end network)
Tunnel interface
Next Hop (Here I have not placed anything, should I put the IP default gateway for the ISP2 output?)

Configuring IPSec Tunnel

VPN_Tunnel_1
Tunnel Interface: tunnel.1
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

VPN_Tunnel_1_Backup
Tunnel Interface: tunnel.2
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE_Backup
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

This may be the part that causes me the most trouble.

Tunnel interface configuration:

Tunnel.1
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1)
Security Zone: VPN_Zone

Tunnel.2
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1_Backup)
Security Zone: VPN_Zone

IKE_Gateway configuration

VPN_Tunnel_1_IKE
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 1
Local IP: (Local ISP)
Peer Address: (Peer ISP)
Pre-Shared Key: (key ****)

VPN_Tunnel_1_IKE_Backup
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 2
Local IP: (Local ISP Backup)
Peer Address: (Peer ISP Backup)
Pre-Shared Key: (key ****)

PBF Config:
Source Trust / LAN (is this correct?)
Destination: 192.168.2.0/24 (Destination network)
[] Negate selected
Forwarding:
Action: Forward
Egress Interface: Tunnel.2
[ ] Monitor
Profile: Failover_VPN_Tunnel
IP Address: 192.168.2.4 (any IP from a host at the other end)
[] Disable this rule if nexthop / monitor ip is unreachable - Selected

Thanks for everything and I apologize for the length of the message, it is that I am having problems to make this configuration and it has cost me something to understand.

Regards!

Hello,

I will do my best to answer. From what I have gathered you have a remote site and two ISP's at each site or only 2 isp's at the main site and one at the remote site? 

When using PBF, these are used prior to anything in the virtual router. So if you have 2  ways to get somewhere, the primary path would be your PBF with the 'Disable' option and the backup route will be the static (if you point it at a tunnel, you dont need a next hop). You should not have static for both as this will not work correctly. Also not sure if its a typo, but you have the same IP for both tunnel interfaces, they should be different? 

Hope that helps.

Hi Otakar.Klier

Thanks for your support!.

So in the PFB rule should I put the primary tunnel to execute this rule?

It would be ...

SOURCE: LAN

DESTINATION / APP / SERV. 192.168.2.0/24/any/any

FORWARDING

Action: Forward

Egress: tunnel.1

Next Hop: -

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 (any IP from a host at the other end)

[] Disable this rule if nexthop / monitor ip is unreachable - Selected

Would this always leave the main tunnel? In case it fails, how would it reach the other? In the state of the tunnel, in the main the interface is shown in red, but it is connected at least on the east side and working correctly, what could it be?

I have 2 ISPs on both sites.

The IP addresses to configure the IKE Gateway are different from each one.

In the rule NAT_VPN_1 I placed Section "Translated Packet"

Eth1 / 1

IP: (ISP1)

In the rule NAT_VPN_1_Backup I placed Section "Translated Packet"

Eth1 / 2

IP: (ISP2)

Again thank you very much !!

regards

Hi

It has emerged me a doubt.

When I configure tunnel monitoring, in the part of:

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 <--- This address should be the same as that configured in the tunnel interface? Network -> Intereface - Tunnel?

Regards!

Add tunnel interfaces to same subnet.

For example:

Site 1 - 192.168.2.1/30

Site 2 - 192.168.2.2/30

Hi Raido

Thanks for your answer

and then, when I trying to monitoring tunnel that "IP Adress" should be the same of the tunnel?

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.1/30 <- 

Regards!

Correct, the monitor IP will the the IP that the PAN will ping on the other side of the tunnel to verify that it is up.

Hi Otakar

So can it be any IP on the other side of the tunnel or should it be the IP that is assigned to the tunnel interface on the other side?.

regards