Basic S2S VPN configurations:
PA-2
1. Two tunnel interfaces, add them to VPN zone
2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways to PA-3 with different local ISP interfaces/IPs to the same peer IP.
3. Add two IPSec Tunnels with different gateways
4. Add two static routes with different Metric
PA-3
1. Two tunnel interfaces, add them to VPN zone
2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways those represent PA-2's two Internet links.
4. Add two static routes with different metric.5. Add Security Policy
===============
VPN failover
1. DPD check peer liveness, when peer is down, however, FW doesn't remove the static route. Hence, DPD itself can't be used for VPN failover.
It takes about 5 minutes to tear down P1 and P2 SAs.
IKEv2 with liveness check to detect network connectivity problem
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC
2. Tunnel Monitoring
FW sends ping to monitored destination IP. When monitor fails, tunnel will be down, remote LAN static route will be removed. But static route to remote peer is still active unless it is direct link failure.
Default route Path Monitor is required for indirect ISP failure.
Network > Network Profile > Monitor
If intrazone-default has allow action, no FW rule is required
When ISP1 is down
PA-2:
But if PA-3 doesn't have Tunnel monitor configured, it will not failover to the 2nd tunnel, so Tunnel Monitoring needs both ends be configured.
Monitor status can be seen from cli:
Related system logs:
Comments
Post a Comment