About SebastianRM

Hi Otakar,   Thanks you so much for your assistance Really it help me   its necessary the "negate" or if I don't check this happens something?   Thanks for the PBF, then I'll put the IP of the next router there.       ... View more

Here comes my doubt too Network - IPSec Tunnels IpsecTunnel.PNG Here I put the profile and the IP address is that of a host that is 24 hours UP on the other side. In the PBF Policies - PBF PBF.PNG Here it is necessary to place  the IP address again if I choose the profile?     In "Destination" within the PBF should I enter the network address? or the address of the Gateway? Example: Network: 192.168.2.0/24 Gateway: 192.168.2.1/24       I do not understand well the operation of "Negate" ... View more

Hi Raido and Otakar   Thanks for your assistance, it is really useful   I have Tunnel 1 and Tunnel 2 (Backup). Both phases are OK, green, but in the main interface "Tunnel 1" the status appears in red.   I read this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTeCAK Phase 1 - OK Phase 2 - OK Status = Red   "RED indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable."   I disabled the PBF policy and Tunnel 2, but traffic continues to come out of tunnel 2, I can not understand.   Would they know what it could be? ... View more

Hi Otakar   So can it be any IP on the other side of the tunnel or should it be the IP that is assigned to the tunnel interface on the other side?.   regards ... View more

Hi Raido   Thanks for your answer   and then, when I trying to monitoring tunnel that "IP Adress" should be the same of the tunnel?   MONITOR Profile: Failover_VPN_Tunnel IP Adress: 192.168.2.1/30 <-    Regards! ... View more

Hi   It has emerged me a doubt.   When I configure tunnel monitoring, in the part of:   MONITOR Profile: Failover_VPN_Tunnel IP Adress: 192.168.2.4 <--- This address should be the same as that configured in the tunnel interface? Network -> Intereface - Tunnel?   Regards! ... View more

Hi Otakar.Klier   Thanks for your support!.   So in the PFB rule should I put the primary tunnel to execute this rule? It would be ... SOURCE: LAN DESTINATION / APP / SERV. 192.168.2.0/24/any/any FORWARDING Action: Forward Egress: tunnel.1 Next Hop: - MONITOR Profile: Failover_VPN_Tunnel IP Adress: 192.168.2.4 (any IP from a host at the other end) [] Disable this rule if nexthop / monitor ip is unreachable - Selected   Would this always leave the main tunnel? In case it fails, how would it reach the other? In the state of the tunnel, in the main the interface is shown in red, but it is connected at least on the east side and working correctly, what could it be?   I have 2 ISPs on both sites.   The IP addresses to configure the IKE Gateway are different from each one.   In the rule NAT_VPN_1 I placed Section "Translated Packet" Eth1 / 1 IP: (ISP1)   In the rule NAT_VPN_1_Backup I placed Section "Translated Packet" Eth1 / 2 IP: (ISP2)   Again thank you very much !!   regards ... View more

Hello Otakar.Klier   Thank you very much for your response, I would appreciate it if you could help me with the following, since I have not been able to advance When I created the PBF and I had a main and a backup tunnel, in "Source" did I have to choose the "Trust" zone (LAN) or the "VPN" zone that was created for the tunnels?   In "Static Routes" I defined as follows VR_RED_1 Destination: 192.168.2.0 (The other end network) Interface: tunnel.1 Next Hop (Here I have not placed anything, should I put the IP default gateway for the output of ISP1?)   VR_RED_1_Backup Destination: 192.168.2.0 (The other end network) Tunnel interface Next Hop (Here I have not placed anything, should I put the IP default gateway for the ISP2 output?)   Configuring IPSec Tunnel VPN_Tunnel_1 Tunnel Interface: tunnel.1 Address Type: IPv4 Type: Auto Key IKE Gateway: VPN_Tunnel_1_IKE IPSec Crypto: Default Tunnel Monitor - Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?) Profile: Failover_VPN_Tunnel   VPN_Tunnel_1_Backup Tunnel Interface: tunnel.2 Address Type: IPv4 Type: Auto Key IKE Gateway: VPN_Tunnel_1_IKE_Backup IPSec Crypto: Default Tunnel Monitor - Destination IP: 192.168.2.4 (any host IP in the other network, this is correct or what should I put?) Profile: Failover_VPN_Tunnel This may be the part that causes me the most trouble.   Tunnel interface configuration:   Tunnel.1 IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer) Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1) Security Zone: VPN_Zone Tunnel.2 IP Address: (I have not placed any address, in the IKE_Gateway I refer to the interface and address of each Peer) Virtual Router: Default (It is necessary to place the previously configured? VR_RED_1_Backup) Security Zone: VPN_Zone   IKE_Gateway configuration   VPN_Tunnel_1_IKE Version: IKEv1 Address Type: IPv4 Interface: Eth1 / 1 Local IP: (Local ISP) Peer Address: (Peer ISP) Pre-Shared Key: (key ****)   VPN_Tunnel_1_IKE_Backup Version: IKEv1 Address Type: IPv4 Interface: Eth1 / 2 Local IP: (Local ISP Backup) Peer Address: (Peer ISP Backup) Pre-Shared Key: (key ****)   PBF Config: Source Trust / LAN (is this correct?) Destination: 192.168.2.0/24 (Destination network) [] Negate selected Forwarding: Action: Forward Egress Interface: Tunnel.2 [ ] Monitor Profile: Failover_VPN_Tunnel IP Address: 192.168.2.4 (any IP from a host at the other end) [] Disable this rule if nexthop / monitor ip is unreachable - Selected   Thanks for everything and I apologize for the length of the message, it is that I am having problems to make this configuration and it has cost me something to understand.   Regards! ... View more