Hi Seb,

 The IPSEC Tunnel is currently sourced from a Firewall inside in my network. We plan to source it from Router going forward. So, If the ISP link1 fails, the traffic would be routed via iBGP to Router 2 and the tunnel would still work.

But, what if Router 1 fails? Do I have to setup a same tunnel config in Router 2 also for it to work as backup?

Cheers

Mikey

Thanks Seb. I'll read more on the EEM scripts, and get back to you with the configs before I go ahead and implement them ;)

Cheers

Mikey

Hello again,

thinking about this a little more, is it possible to create a backup IPSec tunnel from Router2 to RemoteSite1?

On Router1 you could give the received prefixes from RemoteSite1 a higher local-preference. This means any traffic arriving on Router2 destined to RemoteSite1 would go via Router1.

In the event of Router1 failure, Router2 would already be receiving a prefix for RemoteSite1 via its own IPSec tunnel and would install it in its own routing table.

This is a preferable solution to hacking around with EEM scripts and having duplicate configuration running on different routers.

cheers,

Seb.

Hi Seb,

 Apologies for the delay in reply. I had been travelling on an other project.

In regards to your query of setting up a backup tunnel with remote destination, I doubt this would be feasible. We prefer to run this without engaging the customer end IT folks due to various factors (limited technical knowledge, lack of coordination, support etc).

Cheers

Mikey

Hello again.

I don't believe it is possible to have an HSRP vIP as a tunnel endpoint. I've never seen it in production/ lab or in any documentation.

I still standby the idea that you need to run IPSec tunnels to both sites from both routers, and use BGP local-preference to 'draw' the traffic the Routers adjacent remote site.

ie, RouterA should advertise SiteA prefixes within your AS with a higher local_preference. This will ensure traffic arriving on Router2 will be routed to Router1 to reach SiteA.

Regarding your questions:

1) The IPSec tunnel can be terminated on any device which supports the required crypto algorithms.

2) Sourcing the tunnel from a loopback is as easy as tunnel source loopback0.  but now we are moving from IPSec syntax to GRE. IPSec tunnels are placed with crypto map statements on interfaces. If you are planning on using VTIs, last time I checked they are not supported on firewalls so the remote site firewall will not know how to handle the tunnel.

3) The IP addresses used on the tunnel source interfaces must be reachable from either end for it to establish correctly. The subnet used within the tunnel should be in the RFC1918 range.

Behold this topology diagram I've just knocked up in libreoffice draw(!):

This is how I would put it together. IPsec tunnels running between the firewalls. Loopbacks on each router for GRE tunnels. Each site advertising the GRE tunnel endpoint IPs across the IPsec tunnel mesh. This would create a GRE overlay over the IPsec mesh. It would not matter which local router at the 'home' site was up, the GRE tunnel would be routed towards the remote sites A & B.

The GRE tunnels would be used to form IGP adjacencies between the sites, and permit the advertisement of internal networks to each other.

Take a look at this blog post I wrote about Tunnel VRFs:

https://configif.wordpress.com/2017/12/21/tunnel-vrf/

...if these are secure sites you are connecting to it may give you some good pointers.

cheers,

Seb.

I'm not clear on your second paragraph, it would be good to see some running config and intended additional tunnel config.

When I mentioned VTIs and firewalls I was thinking of ASAs, but a Palo Alto is a different beast. A quick google show it should be possible:

https://live.paloaltonetworks.com/t5/Configuration-Articles/Site-to-Site-IPSec-VPN-Between-Palo-Alto-Networks-Firewall-and/ta-p/62103

cheers

Seb.