Failover IPsec VPN with Dual ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Failover IPsec VPN with Dual ISP

L1 Bithead

There are serveral resource available for Dual ISP and with Failover VPN on Live community such as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi... . But here are still lake of of some information in documents, example partner IP address for VPN tunnel, IP Monitor on VPN tunnel(I don't know there this IP address take from). If someone can provide more details with this deployment senario it would be better to understand this.

 

Thank,

5 REPLIES 5

Cyber Elite
Cyber Elite

I've deleted your duplicate post

 

here's another good resource for VPN configurations:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931

 

-The tunnel IP should be negotiated with your remote contact person (or chosen by yourself if you are in control of both endpoints): it is preferably chosen from subnet that is not in either side's local subnets so there is no overlap (eg. site A uses 192.168.0.0, site B uses 172.16.0.0, so it is good to use 10.0.0.0 for the tunnels)

 

- IP Monitor

  • the PBF monitor needs to be an IP with your ISP (upstream router for example) so PBF can fail if the connection breaks
  • tunnel monitor is preferably the abovementioned negotiated tunnel ip

- Partner IP: i suppose you mean peer IP? this is assigned by the remote ISP and you will need to find that out

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Community Team,

 

What I want to know is that I have two Internet connection and I configure IPsec Site to Site VPN to other location with one internet connection. ISP1 is primary Link for VPN connection to branch office location, in case ISP1 internet disconnect, VPN have to up with internet connection on ISP1 to the same branch location.

 

Please see diagram for detail.

 

Thank,

VPN_Sample.png

Hello,

I do this quite a bit and the following works well for me. Setup both tunnels to router at 3.3.3.3 from each of your PAN's. Then I setup OSPF between the three firewalls/routers, PAN 1.1.1.1 would have default costs and 2.2.2.2 would have slightly higher costs say 50. Static routes work as well! Then I create a Policy based routing, PBF, rule that sends the traffic down the prefferred ISP , ISP1, with a monitor and check the box that says 'Disable this rule if the nexthop/monitor ip is unreachable'. PBF's take effect prior to the Virtual Router rules.

 

There usually is a few second delay in failover but works everytime. 

 

Please let me know if you need additional details.

 

Cheers!

Great respond, I have some question with tunnel monitor. what is the IP address that need to monitor? do I need to assign IP address on interface tunnel? If I need to assign an IP address on interface tunnel, do I need to configure IP address of interface tunnel on proxy ID?

Hello,

As for the tunnel monitor I do the following:

 

Use an IP on the far side of the tunnel that will always be up but has little importance, maybe a loopback interface on the far side, the reason is I have a static route that forces the PAN to route that IP over ISP1. That way if it goes down, its not a huge factor from the view point of the subnet behind the PAN.

 

While you dont need to assign an IP to the tunnel interface, I usually do for troubleshooting. A trace route will show the tunnel IP so I know from that IP if the traffic went over ISP1 or ISP2.

 

ProxyID's are used if device 3.3.3.3 cannot perform route based VPN's.

https://live.paloaltonetworks.com/t5/Learning-Articles/Proxy-ID-for-VPNs-Between-Palo-Alto-Networks-...

 

Hope this helps out.

 

Cheers!

  • 9568 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!