Failover IPsec VPN with Dual ISP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Failover IPsec VPN with Dual ISP

There are serveral resource available for Dual ISP and with Failover VPN on Live community such as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi... . But here are still lake of of some information in documents, example partner IP address for VPN tunnel, IP Monitor on VPN tunnel(I don't know there this IP address take from). If someone can provide more details with this deployment senario it would be better to understand this.

 

Thank,

Highlighted
L7 Applicator

I've deleted your duplicate post

 

here's another good resource for VPN configurations:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931

 

-The tunnel IP should be negotiated with your remote contact person (or chosen by yourself if you are in control of both endpoints): it is preferably chosen from subnet that is not in either side's local subnets so there is no overlap (eg. site A uses 192.168.0.0, site B uses 172.16.0.0, so it is good to use 10.0.0.0 for the tunnels)

 

- IP Monitor

  • the PBF monitor needs to be an IP with your ISP (upstream router for example) so PBF can fail if the connection breaks
  • tunnel monitor is preferably the abovementioned negotiated tunnel ip

- Partner IP: i suppose you mean peer IP? this is assigned by the remote ISP and you will need to find that out

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L1 Bithead

Hi Community Team,

 

What I want to know is that I have two Internet connection and I configure IPsec Site to Site VPN to other location with one internet connection. ISP1 is primary Link for VPN connection to branch office location, in case ISP1 internet disconnect, VPN have to up with internet connection on ISP1 to the same branch location.

 

Please see diagram for detail.

 

Thank,

VPN_Sample.png

Highlighted
Cyber Elite

Hello,

I do this quite a bit and the following works well for me. Setup both tunnels to router at 3.3.3.3 from each of your PAN's. Then I setup OSPF between the three firewalls/routers, PAN 1.1.1.1 would have default costs and 2.2.2.2 would have slightly higher costs say 50. Static routes work as well! Then I create a Policy based routing, PBF, rule that sends the traffic down the prefferred ISP , ISP1, with a monitor and check the box that says 'Disable this rule if the nexthop/monitor ip is unreachable'. PBF's take effect prior to the Virtual Router rules.

 

There usually is a few second delay in failover but works everytime. 

 

Please let me know if you need additional details.

 

Cheers!

Highlighted
L1 Bithead

Great respond, I have some question with tunnel monitor. what is the IP address that need to monitor? do I need to assign IP address on interface tunnel? If I need to assign an IP address on interface tunnel, do I need to configure IP address of interface tunnel on proxy ID?

Highlighted
Cyber Elite

Hello,

As for the tunnel monitor I do the following:

 

Use an IP on the far side of the tunnel that will always be up but has little importance, maybe a loopback interface on the far side, the reason is I have a static route that forces the PAN to route that IP over ISP1. That way if it goes down, its not a huge factor from the view point of the subnet behind the PAN.

 

While you dont need to assign an IP to the tunnel interface, I usually do for troubleshooting. A trace route will show the tunnel IP so I know from that IP if the traffic went over ISP1 or ISP2.

 

ProxyID's are used if device 3.3.3.3 cannot perform route based VPN's.

https://live.paloaltonetworks.com/t5/Learning-Articles/Proxy-ID-for-VPNs-Between-Palo-Alto-Networks-...

 

Hope this helps out.

 

Cheers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!