Site to Site VPN with dual ISP

Reply
Highlighted
L1 Bithead

Site to Site VPN with dual ISP

I have setup my Pa2020 with dual ISP, PrimaryISP using PBF w/monitor and BackupISP setup with Static route for 0.0.0.0/0.

My issues is that my Site to Site VPN stops because of a timeout.  I noticed in the VPN config uses my main virual router.  Since my dual ISP routing is controled by the PBF, the VPN connection cant see the gateway.

is there anyway to fix this?

-thanks

Highlighted
L4 Transporter

Hi,


You can create a exception in the PBF rule base for your site-to-site traffic. Simply create a rule at the top of the PBF policy with the destination address set to the peer IP address and with action 'No PBF'.


This will ensure the traffic takes the route configured on the Virtual Router.

- Stefan

Highlighted
L1 Bithead

I dont think that would work, because the issue is the Virtual Router only has the one default gateway for 0.0.0.0/0 pointing to the BackupISP for Dual ISP failover to work.  There is no route in Virtual Router for PrimaryISP, its on inside PolicyBasedForwarding.

right?

Highlighted
L4 Transporter

You are correct. There also needs to be a static host route for the peer address on the virutal router - pointing to your primary ISP.

- Stefan

Highlighted
L3 Networker

What is your "interface source" configured in IKE Gateway?  I have a similar problem because i cannot make the vpn use Link 2 when Link 1 fail.

Could you help me?  please explain your environment.

L4 Transporter

If the remote end is the same IP address use this.

https://live.paloaltonetworks.com/docs/DOC-3376

If the Remote site has two IP addresses you can use the VR to route traffic out each ISP depending on the dst IP address. PBF does not apply to any traffic dst or src from the pan.

Highlighted
Not applicable

Is there a way to do this, and still use a PBF rule for ISP failover? That document doesn't seem to address that.

Highlighted
L7 Applicator

jevenson:

Yes, you can still use a PBF rule for ISP failover.  I labbed this up today to work through all the failover scenarios.  In this example, ethernet1/1 and ethernet1/3 were my outside interfaces.  I went through the above document to get VPN w/ failover completely working first.  Once that was working, here's what I did for Internet.

Setup 2 NAT rules for traffic leaving the trust side of the network.  If it goes out eth1/1, then source-nat to eth1/1's IP address.  If it goes out eth1/3, source-nat to eth1/3s interface address.   

At this point, user traffic not destined to the VPN networks will follow VR1's default route which is on ethernet1/1 in my lab.  To override this behavior, you can setup a 2nd PBF rule that forwards Internet-bound traffic out ethernet1/3 instead.  To be safe, you should exempt the remote VPN networks from this outbound Internet PBF rule.  The first PBF rule covers the VPN route... but if that goes down you want traffic to the VPN net to follow the default route in VR1's routing table - not a different PBF rule.

With that in place, should the ISP connected to eth1/3 go down, this PBF rule is disabled and user internet traffic follows VR1's default route through ethernet1/1:

Highlighted
L0 Member

coming late to this thread, but very relevant to a current project I have...

in your example, you note that the one link is used for VPN traffic while the other is used for internet traffic and backup VPN, is your lab different if your primary internet connection is used for both internet traffic and VPN, while the the second link is used for both, but only as a backup?

In our environment, I have two links

  • ISP 1 - 20Mbit fiber (primary)
  • ISP 2 - 15Mbit coaxial (backup)

I want all traffic to flow out ISP1 unless the link is down, then the VPN and internet traffic should use ISP2.  The PBF is working as expected for internet traffic, but getting the VPN defined properly is giving me some fits.  I'm reviewing your lab write-up now and working on implementing in my test environment, but any thoughts you have on my scenario is appreciated.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!