This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Policy-Based IPsec VPN Failover

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy-Based IPsec VPN Failover

igobejishvili
L2 Linker

‎07-26-2022 01:40 AM - edited ‎07-26-2022 02:17 AM

Hello everyone,

I have a case, where we have configured two site-to-site VPN connections to our partner's primary and backup datacenters. Both tunnels are policy-based IPsec VPNs with Proxy-IDs configured and both use the same local/remote inner IP addresses. This is a single ISP/single virtual router environment.

 

For example this is a sample config of two Proxy-IDs in one tunnel:

  • 172.16.2.2 (real private IP) NATed to 172.29.2.2 used as local and 200.0.0.2 remote.
  • 172.16.2.3 (real private IP) NATed to 172.29.2.3 used as local and 200.0.0.3 remote.

Now exact same proxy ID configuration is present in second tunnel as well. My question is, how do we make tunnel1 preferred egress point for outgoing packet flow and how do we implement failover to tunnel2, in case tunnel1:proxyid sub-tunnels go down?

I can't use any routing solutions or tunnel monitor as it's a policy-based VPN. There are no routes regarding those remote networks and also tunnels have no IP addresses configured for themselves.


ADD: Maybe there is a mechanism in PAN-OS similar to reverse-route in IOS, that can inject routes based on proxy IDs? That could solve the problem with variable AD or metric per route injection.

Pushing zeros and ones.
0 Likes Likes
5 REPLIES 5

OtakarKlier
Cyber Elite
Cyber Elite

‎07-27-2022 10:57 AM

Hello,

I would use metrics on the routes. Make the less preferred route metric 10000. This way the traffic will follow the preferred tunnel unless its down then take the less preferred tunnel.

 

Regards,

0 Likes Likes

igobejishvili
L2 Linker

‎07-29-2022 12:43 AM

Thank you for the reply. Currently I have no routes associated with these connections. That's why I was wondering if there is anything like reverse-route from Cisco world, to inject static routes from P2 selectors (ACLs in that case) that can be manipulated with metrics etc. If not, what is the correct way to apply a static route over policy-based tunnel in PAN-OS? As tunnel itself has no IP address, I assume egress interface should be used as a next hop. Each configured Proxy ID is represented as a sub-tunnel with naming of IPsec_Tunnel_Name:ProxyID_Name, that is not visible in PAN-OS web management. Can static routes be pointed to just an "outer" IPsec tunnel name?

Pushing zeros and ones.
0 Likes Likes

YEmreSeven
L2 Linker

‎07-29-2022 02:45 AM

You must redirect IPSec traffic throught to tunnel with staticly or PBF metod. Static routing with different metrics should be work.

But if you want to use PBF with tunnel monitor profile which monitoring remote Phase-2 site IP, you should use different zone between IPSec tunnels.

 

Check this kb for dual redundant IPSec,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

(1)

OtakarKlier
Cyber Elite
Cyber Elite
In response to igobejishvili

‎07-29-2022 11:32 AM

Hello,

You will need routes to send traffic down the tunnel.

Regards,

0 Likes Likes

igobejishvili
L2 Linker

‎08-02-2022 03:14 AM

Thank you for your input.

 

I've added static routes and traffic flows correctly. Looks like once static route points to tunnel interface associated with policy based IPsec tunnel, then traffic correctly flows through appropriate proxy ID sub-tunnels based on destination prefix. ICMP is successful and packet encaps/decaps increase accordingly.

 

However my problem with failover still persists. If primary IPsec tunnel goes down, static routes are not withdrawn from routing table and traffic effectively gets blackholed. Since "outer" associated tunnel has no IP address, I'm unable to configure tunnel monitoring or path monitoring for static routes. There is no source IP address available to source ICMP from.

Pushing zeros and ones.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks