Policy-Based IPsec VPN Failover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy-Based IPsec VPN Failover

L2 Linker

Hello everyone,

I have a case, where we have configured two site-to-site VPN connections to our partner's primary and backup datacenters. Both tunnels are policy-based IPsec VPNs with Proxy-IDs configured and both use the same local/remote inner IP addresses. This is a single ISP/single virtual router environment.

 

For example this is a sample config of two Proxy-IDs in one tunnel:

  • 172.16.2.2 (real private IP) NATed to 172.29.2.2 used as local and 200.0.0.2 remote.
  • 172.16.2.3 (real private IP) NATed to 172.29.2.3 used as local and 200.0.0.3 remote.

Now exact same proxy ID configuration is present in second tunnel as well. My question is, how do we make tunnel1 preferred egress point for outgoing packet flow and how do we implement failover to tunnel2, in case tunnel1:proxyid sub-tunnels go down?

I can't use any routing solutions or tunnel monitor as it's a policy-based VPN. There are no routes regarding those remote networks and also tunnels have no IP addresses configured for themselves.


ADD: Maybe there is a mechanism in PAN-OS similar to reverse-route in IOS, that can inject routes based on proxy IDs? That could solve the problem with variable AD or metric per route injection.

Pushing zeros and ones.
15 REPLIES 15

Cyber Elite
Cyber Elite

Hello,

I would use metrics on the routes. Make the less preferred route metric 10000. This way the traffic will follow the preferred tunnel unless its down then take the less preferred tunnel.

 

Regards,

L2 Linker

Thank you for the reply. Currently I have no routes associated with these connections. That's why I was wondering if there is anything like reverse-route from Cisco world, to inject static routes from P2 selectors (ACLs in that case) that can be manipulated with metrics etc. If not, what is the correct way to apply a static route over policy-based tunnel in PAN-OS? As tunnel itself has no IP address, I assume egress interface should be used as a next hop. Each configured Proxy ID is represented as a sub-tunnel with naming of IPsec_Tunnel_Name:ProxyID_Name, that is not visible in PAN-OS web management. Can static routes be pointed to just an "outer" IPsec tunnel name?

Pushing zeros and ones.

L2 Linker

You must redirect IPSec traffic throught to tunnel with staticly or PBF metod. Static routing with different metrics should be work.

But if you want to use PBF with tunnel monitor profile which monitoring remote Phase-2 site IP, you should use different zone between IPSec tunnels.

 

Check this kb for dual redundant IPSec,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

Hello,

You will need routes to send traffic down the tunnel.

Regards,

L2 Linker

Thank you for your input.

 

I've added static routes and traffic flows correctly. Looks like once static route points to tunnel interface associated with policy based IPsec tunnel, then traffic correctly flows through appropriate proxy ID sub-tunnels based on destination prefix. ICMP is successful and packet encaps/decaps increase accordingly.

 

However my problem with failover still persists. If primary IPsec tunnel goes down, static routes are not withdrawn from routing table and traffic effectively gets blackholed. Since "outer" associated tunnel has no IP address, I'm unable to configure tunnel monitoring or path monitoring for static routes. There is no source IP address available to source ICMP from.

Pushing zeros and ones.

I am also facing this exact issue. were you able to resolve it?

I am also facing this exact issue. were you able to resolve it?

Cyber Elite
Cyber Elite

Hello,

Have you tried to use policy based forwarding or weighted routes?

Regards,

L4 Transporter

We just setup the same sort of thing on two IPSEC tunnels into Azure and used TUNNEL MONITOR after assigning IP addresses to the tunnels so we could evaluate their state. Is there any reason you can't put IP addresses on the tunnel? (I should add when we had one IPSEC tunnel we did NOT the IP addresses assigned or tunnel monitor in use so this was needed.)

 

Additonal routes for the tunnels were also necessary and as others mentioned with the metric higher on one than another tunnel.

L2 Linker

I do have tunnel interface ip assigned. When I do 2 static routes, A with higher metric and B with lower, when A fails, it doesn't automatically go to B and still tries to send traffic via A 

L4 Transporter

Do you have tunnel monitoring on? I think that might be the behavior without it where it may not know NOT to send the tunnel traffic that direction on the downed link.

I did have tunnel monitoring, but when I connect it to the tunnel, I see tunnel interface status go down

Cyber Elite
Cyber Elite

Hello,

How are your routes setup, static? If yes, do you have 'Path Monitoring' enabled and setup? This is what would remove the route from the routing table, not the tunnel monitor, etc.

 

Failure Condition
Select the condition under which the firewall considers the monitored path down and thus the static route down:

Any—If any one of the monitored destinations for the static route is unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.

All—If all of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.
Select All to avoid the possibility of a single monitored destination signaling a static route failure when that monitored destination is simply offline for maintenance, for example.

 

Regards,

L2 Linker

, static routes are setup. i'll check and configure that. How would I go about setting traffic to go thru both tunnels

  • 8309 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!