We are a SMB that uses seven IPSec VPN’s to connect to several cloud service providers and businesses. These VPN’s terminate on a Palo Alto firewall on our side. Recently our ISP circuit went down, which of course took our tunnels down with it. We are in the process of getting a secondary circuit from a different provider to handle this situation in the future, but once in place, we would have to reconfigure the tunnels in order to bring them up on the new circuit. And of course, reconfigure the tunnels again once the primary circuit came back up.
Getting a secondary ISP circuit setup to automatically rollover and back is not a problem. We would like to know if there is a solution to configuring/re-configuring the IPSec tunnels. Would it be possible to have our tunnels terminate in a cloud and configured to where it would not matter which of our ISP’s was in use? Our searches have turned-up nothing so far. Any help will be greatly appreciated!
Initial thought is just setup a redundant tunnel(s) out the backup path and then control which tunnel is in use with routing.
To do this without having a second set of tunnels you would have to have IP space that you are announcing to both providers. Then have your tunnel endpoint terminate on one of those IP addresses.
SDWAN is what you want. I have an office in the virgin islands where power and internet outages are frequent. So we have 3 Internet connections in this office. Using SDWAN allows us to have 3 active IPSec tunnels to our datacenter and dynamically choose one based on latency to the datacenter.
Set up 1 tunnel per ISP uplink, configure any dynamic routing protocol that supports redundancy (OSPF, BGP, …) on both ends of the tunnels.
Use palos SDWAN product. That does something very similar to 1., just with more abstraction layers and less manual work on your end
You can also use palos link monitoring and multiple tunnels + multiple gateways to achieve this, but that’s basically a jankier, less reliable, more proprietary way of doing 1.
Edit:
Maybe i should add this as general advice:
For your most critical network functions (and site to site connectivity honestly is one of those) just don’t rely on proprietary solutions. Use well defined, standardized widely adopted technologies, and ideally open source implementations of those. Makes interoperability and migration scenarios so much easier.
Cant you configure multiple tunnels eg. one per circuit and run a routing protocol or palo altos link monitoring to dynamically switch the path when a link goes down?
Well it looks like you want to have some form of redundancy, but don’t know how to really move forward.
Having two circuits from independent/different providers is a good start.
For the sake of clarity I will not go into things like medium and last-mile and wholesale redundancy.
Your providers will with their services not offer static network blocks for your use. So the best solution, without introducing new single point of failures (SPOFs) is to assign your second provider a dedicated (sub) interface on your Palo alto firewall.
Then your clouds should all get a second vpn tunnel.
Make sure to use route based VPNs.
They key further will be ECMP and/or Floating Routes.
ECMP, Equal Cost Multi Path routing will take both paths and distribute your traffic over the two van tunnels towards your cloud.
Make sure the remote side also configures ECMP to make this properly work.
Floating Routes (or Floating Static Routes) will take one vpn as the primary and will use the second vpn only in case of the first route (and vpn) going down.
Both setups I have built in the past for several clients.
There are some more alternatives like dynamic routing over VPN, but as an SMB without sufficient network knowledge I would not go there.
There are also alternatives that introduce SPOFs,
Like using a cloud hosted vpn Terminator, where all your vond are terminated and you would only have to switch over your local vpn. You might even get away with setting the von towards your office as responder only with a dynamic target. Personally, I don’t like these setups as they introduce additional costs, more SPOFs and lower clarity on your networking as an SMB.
We use an SD-Wan zone for the IPsec tunnels for our stuff and it just switches seamlessly. We’re using a Fortigate 201F. I’m not sure of the config on a Palo but I’m sure it’s capable of it.
Is your concern about having to work with all of your vendors to redesign your VPN connectivity with them or are you just concerned about your own side of the setup?
I would do what you’re thinking - put a virtual firewall at a cloud provider and terminate all the external VPNs there. Build a tunnel on the PA from each ISP to the cloud firewall and run BGP over the tunnels, then announce the external VPN ranges from the virtual firewall. Each site or cloud gets an AS number.
If virtual firewalls are too expensive look at something like OPNsense. In AWS be sure to use an elastic IP so you can move it around.
Wow, you folks are great! I’m a reddit rookie and I was not expecting so many replies - much less on a weekend! You all have given me quite a bit to digest, so it may be a while before I can award anything. More than likely it’ll come down to cost (like everything else). Thanks, All!
We are an integrator and did this for a client. We resell services of Adaptiv networks. You may take a look at their Business Connect product. Basically it’s an ISP layer on top of your existing ISP. You will get load balancing and failover. You may message me so I can connect you to someone.
We are also working on a custom solution to even make it one step better of distributing/aggregating the traffic between multiple ISP links for a single VPN tunnel.
Wow, thanks for the fast reply! Just so happens that IP space is no problem - we happen to have two class C blocks (/20 & /22) that we bought WAAAAY back before NAT came along and we’ve held onto 'em since.
This is the way to go. Managed SDWAN with a cloud gateway and same IP failover across multiple ISPs and single or HA endpoints on the cloud side depending on the cloud.
FWIW, we tried deploying Palo’s NGFW SDWAN product last year (not Prisma), and it was a mess. Known bugs galore, support didn’t know anything about it, wasn’t very intuitive to setup.
We never got it working, and our CDW consultants said it’s been a mess in other deployments as well.
Yeah, we try to avoid SPOF’s like the plague! We actually have two good sized static network blocks (class C /20 & /22 … long story, bought 'em before NAT). And you are correct about insufficient knowledge concerning dynamic routing over VPN. Something to keep in mind though. Thanks!