Site to Site tunnel

Reply
L2 Linker

Site to Site tunnel

Hello

 

I have a question about the configuration of the ipsec tunnel, in the article when the tunnel interface is created

 

"Optional) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32."

 

That "Optional" address, what should it be? from my network, anyone?

 

I also wanted to consult once the monitor profile was created to know if the tunnel is UP or DOWN, when I select "failover". How should the PBF rule be with another ISP? I am looking for the tunnel to be UP in case the principal no longer responds and performs failover.

 

Could someone explain to me?

 

Thank you!

Highlighted
L7 Applicator

Re: Site to Site tunnel

Hello,

The tunnel interface could be anything. I use rfc1918 addresses that are carved into /30's so each side of the tunnel gets one. Then I have a static route (for monitoring only) to the other sides IP.

 

The monitor sends pings to the IP specified to verify if it is up or down. Check out this article about dual ISP's and PBF failover.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/use-case-pb...

 

Cheers!

L2 Linker

Re: Site to Site tunnel

Hello Otakar.Klier

 

Thank you very much for your response, I would appreciate it if you could help me with the following, since I have not been able to advance

When I created the PBF and I had a main and a backup tunnel, in "Source" did I have to choose the "Trust" zone (LAN) or the "VPN" zone that was created for the tunnels?

 

In "Static Routes" I defined as follows

VR_RED_1

Destination: 192.168.2.0 (The other end network)
Interface: tunnel.1
Next Hop (Here I have not placed anything, should I put the IP default gateway for the output of ISP1?)

 

VR_RED_1_Backup
Destination: 192.168.2.0 (The other end network)
Tunnel interface
Next Hop (Here I have not placed anything, should I put the IP default gateway for the ISP2 output?)

 

Configuring IPSec Tunnel

VPN_Tunnel_1
Tunnel Interface: tunnel.1
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

 

VPN_Tunnel_1_Backup
Tunnel Interface: tunnel.2
Address Type: IPv4
Type: Auto Key
IKE Gateway: VPN_Tunnel_1_IKE_Backup
IPSec Crypto: Default
Tunnel Monitor
- Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?)
Profile: Failover_VPN_Tunnel

This may be the part that causes me the most trouble.

 

Tunnel interface configuration:

 

Tunnel.1
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1)
Security Zone: VPN_Zone

Tunnel.2
IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer)
Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1_Backup)
Security Zone: VPN_Zone

 

IKE_Gateway configuration

 

VPN_Tunnel_1_IKE
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 1
Local IP: (Local ISP)
Peer Address: (Peer ISP)
Pre-Shared Key: (key ****)

 

VPN_Tunnel_1_IKE_Backup
Version: IKEv1
Address Type: IPv4
Interface: Eth1 / 2
Local IP: (Local ISP Backup)
Peer Address: (Peer ISP Backup)
Pre-Shared Key: (key ****)

 

PBF Config:
Source Trust / LAN (is this correct?)
Destination: 192.168.2.0/24 (Destination network)
[] Negate selected
Forwarding:
Action: Forward
Egress Interface: Tunnel.2
[ ] Monitor
Profile: Failover_VPN_Tunnel
IP Address: 192.168.2.4 (any IP from a host at the other end)
[] Disable this rule if nexthop / monitor ip is unreachable - Selected

 

Thanks for everything and I apologize for the length of the message, it is that I am having problems to make this configuration and it has cost me something to understand.

 

Regards!

L7 Applicator

Re: Site to Site tunnel

Hello,

I will do my best to answer. From what I have gathered you have a remote site and two ISP's at each site or only 2 isp's at the main site and one at the remote site? 

 

When using PBF, these are used prior to anything in the virtual router. So if you have 2  ways to get somewhere, the primary path would be your PBF with the 'Disable' option and the backup route will be the static (if you point it at a tunnel, you dont need a next hop). You should not have static for both as this will not work correctly. Also not sure if its a typo, but you have the same IP for both tunnel interfaces, they should be different? 

 

Hope that helps.

L2 Linker

Re: Site to Site tunnel

Hi Otakar.Klier

 

Thanks for your support!.

 

So in the PFB rule should I put the primary tunnel to execute this rule?

It would be ...

SOURCE: LAN

DESTINATION / APP / SERV. 192.168.2.0/24/any/any

FORWARDING

Action: Forward

Egress: tunnel.1

Next Hop: -

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 (any IP from a host at the other end)

[] Disable this rule if nexthop / monitor ip is unreachable - Selected

 

Would this always leave the main tunnel? In case it fails, how would it reach the other? In the state of the tunnel, in the main the interface is shown in red, but it is connected at least on the east side and working correctly, what could it be?

 

I have 2 ISPs on both sites.

 

The IP addresses to configure the IKE Gateway are different from each one.

 

In the rule NAT_VPN_1 I placed Section "Translated Packet"

Eth1 / 1

IP: (ISP1)

 

In the rule NAT_VPN_1_Backup I placed Section "Translated Packet"

Eth1 / 2

IP: (ISP2)

 

Again thank you very much !!

 

regards

L2 Linker

Re: Site to Site tunnel

Hi

 

It has emerged me a doubt.

 

When I configure tunnel monitoring, in the part of:

 

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.4 <--- This address should be the same as that configured in the tunnel interface? Network -> Intereface - Tunnel?

 

Regards!

L7 Applicator

Re: Site to Site tunnel

Add tunnel interfaces to same subnet.

For example:

Site 1 - 192.168.2.1/30

Site 2 - 192.168.2.2/30

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L2 Linker

Re: Site to Site tunnel

Hi Raido

 

Thanks for your answer

 

and then, when I trying to monitoring tunnel that "IP Adress" should be the same of the tunnel?

 

MONITOR

Profile: Failover_VPN_Tunnel

IP Adress: 192.168.2.1/30 <- 

 

Regards!

L7 Applicator

Re: Site to Site tunnel

Correct, the monitor IP will the the IP that the PAN will ping on the other side of the tunnel to verify that it is up.

L2 Linker

Re: Site to Site tunnel

Hi Otakar

 

So can it be any IP on the other side of the tunnel or should it be the IP that is assigned to the tunnel interface on the other side?.

 

regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!