11-16-2023 01:10 AM
Hi Guys hope this a quick one,
I have 2 ISPs want to use 1 for the site to site tunnels and 1 for the user internet
I have created 2 interfaces for 2 isps
interface 1/1 with 2.2.2.2 next hop 2.2.2.1 (isp for internet access some site to site )
interface 1/2 with 3.3.3.3 next hop 3.3.3.1 ( only for some site to site they only allow this ips)
Created a virtual router call VR1
routes for 0.0.0.0 2.2.2.1 metric 10
routes for 0.0.0.0 next hop 3.3.3.1 metric 10
I have NAT rules for Both ISPs
It's letting me select site to site with each ISP and internet works on the primary.
Not tested on the live environment it might not work or is their a better way to do this
Thank you.
11-16-2023 02:45 AM
Hi @din100 ,
The easiest way to accomplish your goal is to use a default route to 2.2.2.1 and host routes (/32) to 3.3.3.1 for each VPN peer. Routing to each IPsec tunnel interface (static or dynamic) will ensure the tunneled traffic is routed correctly.
You mentioned that the IPsec peers only accept the 1 IP address. So, you do not have to plan for IPsec redundancy. If you want redundancy for Internet traffic, you could follow this guide. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO
Thanks,
Tom
11-16-2023 02:38 AM
I can't seems to edit it routes for 0.0.0.0 next hop 3.3.3.1 metric 20 not 10 as I posted above
11-16-2023 02:45 AM
Hi @din100 ,
The easiest way to accomplish your goal is to use a default route to 2.2.2.1 and host routes (/32) to 3.3.3.1 for each VPN peer. Routing to each IPsec tunnel interface (static or dynamic) will ensure the tunneled traffic is routed correctly.
You mentioned that the IPsec peers only accept the 1 IP address. So, you do not have to plan for IPsec redundancy. If you want redundancy for Internet traffic, you could follow this guide. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO
Thanks,
Tom
11-16-2023 03:20 AM
ok so you are saying remove routes for 0.0.0.0 next hop 3.3.3.1 metric 20
add each VPN peer like 7.7.7.7 next hop to 3.3.3.1
nice I will try it
11-16-2023 04:27 AM
Yes! Add each VPN peer host route like your example.
You can keep the 2nd default route with the higher metric. It will be used if the link goes down. You can also add path monitoring which will allow failover if the ISP has connectivity problems. My path monitoring configuration is different than the URL I posted. I do not ping the ISP gateway because occasionally the gateway can remain up when the Internet is down. I ping 2 public IP addresses and set the failure condition to all.
Thanks,
Tom
11-16-2023 05:16 AM
Good point our ISP gateway is inside our building :D. I will change it to google/cloudflair dns ips. thank you so much for your help
11-24-2023 03:17 AM
thank you again Tom, all worked like a clock work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
