Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0 Revision A 2015, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents Overview... 3 Use Case... 3 Equal Cost MultiPath (ECMP)... 3 Setup... 3 Requirements... 4 Configuration Goals... 4 Configuration Example... 4 Interface Configuration!... 4 Tunnel Setup... 5 IKE Gateway (Phase 1)... 5 IPSec Tunnel (Phase 2)... 6 Virtual Router Setup... 7 Default ISP Gateway(s)... 7 OSPF for Tunneled Traffic... 8 ECMP... 9 Configuration Commit... 9 Verifying ECMP Routes... 10 In the GUI... 10 Useful CLI Commands... 13 Revision History... 13 2015, Palo Alto Networks, Inc. [2]

Overview The purpose of this document is to explain how to configure a Palo Alto Networks firewall to establish redundant VPN tunnels over multiple ISP connections, using ECMP. Use Case This setup is frequently used to provide VPN connectivity between a branch office and data center (DC). Apart from general Internet connectivity via multiple (typically two) ISP links, there are multiple VPN (site-to-site) tunnels established between the branch office and DC, each being tunneled through a different ISP link. This design improves resiliency by providing redundancy for VPN connectivity as well as Internet connectivity. Primary VPN ISP1 ISP DC Branch Office Backup VPN ISP2 Data Center Figure 1 Branch with Dual VPNs and Dual ISP Links Equal Cost MultiPath (ECMP) With the Equal Cost MultiPath support introduced in PAN-OS 7.0, one can now configure a Palo Alto Networks firewall to load share traffic across multiple equal cost paths. With the flexibility to select various load-balancing algorithms, there are multiple ways to design this. ECMP feature provides session based load balancing using any of the chosen options: IP Modulo: A modulo of the source and destination IP addresses is used to select path. IP Hash: A hash of the source and destination IP addresses and optionally source and destination ports (if so configured) is taken to select the path taken. User can also set the seed value used to generate the hash (default seed is 0). Weighted Round Robin: Path selection is based on round robin the equal cost paths with optional weights that can be set for preferential path selection. Balanced Round Robin: Path selection is round robin (equal weights) and session load is always re-balanced when number of paths change (Load Balancing takes precedence over Session stickiness in this case unlike all other cases) We chose Weighted Round Robin as the load-balancing scheme for the given use case. In addition to the simplicity of setup and configuration, some of the benefits of the solution discussed in this note are: It allows full utilization of both links. We can configure one of the ISP links to largely carry VPN traffic while the other ISP link carries internet traffic depending on ISP preference, if any. ECMP provides automatic failover capabilities and switchover to backup links in case of outages. Setup In this document we discuss a split tunnel setup at the branch office, to be able to pass private network traffic destined to the data center (DC) via IPSec tunnel(s) and pass all other Internet traffic directly to the default ISP. In our example we are using the Weighted Round Robin algorithm to be able to designate one ISP link to largely carry VPN traffic and the other ISP link to largely carry the Internet traffic. Each link acts as backup for the other thus exploiting the benefits of ECMP to avoid a single point of failure, achieve better bandwidth utilization and faster failover. 2015, Palo Alto Networks, Inc. [3]

As noted before, this can be done in other ways depending on the requirement and goal. For example You can have full tunneling to pass all the traffic via the tunnels to the data center for centralized processing. The traffic passing through tunnels can also be equally load balanced, or Can be balanced amongst the tunnels on the basis of source IPs. Refer to the PAN-OS 7.0 Administrator's Guide for details on various ECMP load-balancing options. PAN-OS ECMP support is for both static and dynamic routes. In our example, we use ECMP for static (default route for internet-bound traffic) as well as dynamic (OSPF advertised routes for the VPN tunnels) routing. Requirements This approach requires PAN-OS version 7.0 or above which supports the feature. Configuration Goals Branch Office Firewall We configure the branch site firewall to meet to following goals: Redundant Internet and VPN connectivity via multiple ISP links. ECMP Load Balancing and automatic failover for VPN connectivity. Data Center Firewall We configure a DC firewall as follows: Redundant VPN connectivity for the branch office over a single ISP link. Note: DC Firewall can also be with dual ISP links and ECMP. For the purpose of this document we will handle the case as stated above. Configuration Example Interface Configuration Branch Interface IP Address Description E1/7 E1/5 E1/6 E1/5 172.165.9.20/24* Physical interface connecting to ISP1 E1/6 172.55.15.20/24* Physical interface connecting to ISP2 tunnel.1 10.1.1.2/30 Tunnel endpoint for VPN-1 tunnel.2 10.1.2.2/30 Tunnel endpoint for VPN-2 Data Center E1/7 192.168.45.20/24 Local Network for Branch site E1/6 E1/5 Interface IP Address Description E1/5 172.13.39.90/24* Physical interface connecting to ISP tunnel.1 10.1.1.1/30 Tunnel endpoint for VPN-1 tunnel.2 10.1.2.1/30 Tunnel endpoint for VPN-2 E1/6 192.168.35.20/24 Local Network for DC * These IP address chosen are for illustration purposes only. In the real world, these will be the publically routable address(es) provided by the corresponding ISP. 2015, Palo Alto Networks, Inc. [4]

We don t discuss the steps to configure interfaces in this document. All interfaces are configured in Layer-3 mode with IPv4 addresses as above. They all belong to the same virtual router on the Firewall. The intention of this document is not to go into details about Interface, Zone and Security Policy configurations. Refer to the PAN-OS 7.0 Administrator's Guide for details on these. Tunnel Setup IKE Gateway (Phase 1) The IPSec tunnel setup is independent of ECMP and can be configured to meet the customer network s requirements. In the example here, we are using IKEv1 with pre-shared keys and default IPSec crypto profiles. PAN-OS 7.0 also supports IKEv2. Refer to the PAN-OS 7.0 Administrator's Guide for all supported standards and options. An IKE Gateway is configured for each of the VPN tunnels (Network->Network Profiles->IKE Gateways) On the Branch FW: The local IP address and interface for both tunnels will be different (one for each ISP) and Peer IP will be the same (DC FW interface IP). On the DC FW: The local IP address and interface for both tunnels will be the same and Peer IP will be different (each pointing to remote tunnel endpoint for that ISP). 2015, Palo Alto Networks, Inc. [5]

IPSec Tunnel (Phase 2) An IPSec tunnel is configured for each of the IKE Gateways configured above (Network->IPSec Tunnels) On both FW: On each firewall, two IPSec tunnels need to be configured, each using a different IKE gateway configured in the step above. IPSec Tunnel Configuration for Branch FW IPSec Tunnel Configuration for DC FW The tunnel interfaces corresponding to these IPSec tunnels are part of the dynamic routing protocol (Virtual Router configuration discussed in section below), which should take care of advertising the prefixes from each site to its peer (remote tunnel endpoint). 2015, Palo Alto Networks, Inc. [6]

Virtual Router Setup In our example, here all interfaces on a firewall (including tunnel interfaces) belong to the same virtual router. Default ISP Gateway(s) Static routes to default gateways are configured for both ISPs (branch FW) with the default route (0.0.0.0/0) being set with equal metrics (this is a MUST for the interfaces to be selected as equal cost paths). 2015, Palo Alto Networks, Inc. [7]

OSPF for Tunneled Traffic An OSPF instance (area 0.0.0.10) is configured for both firewalls, with interface settings as shown below (the screenshot below shows the branch firewall). Note: The LAN-facing interface is configured with link-type as broadcast (default) while the tunnel interfaces are configured as p2p link types since the tunnel emulates a point-to-point link. OSPF routing protocol is enabled with appropriate Router-ID set for both FW (sample snapshot from branch FW). 2015, Palo Alto Networks, Inc. [8]

Although OSPF is chosen as a dynamic routing protocol here and default values are retained for most of the configuration, this can be changed to fit the specific network requirements. Details for Dynamic Routing protocol configuration can be found in the Admin Guide. ECMP Finally ECMP is enabled under Network->Virtual Router->ECMP. Note: This is a split-tunnel setup, where all the non-dc destined traffic (stated here as Internet traffic ) goes out the physical interface to the statically configured next-hop (default gateway for the ISP), whereas all the DC destined traffic (stated here as VPN traffic ) goes via the tunnel interface. The load-balancing algorithm chosen is Weighted Round Robin and the weights chosen are: 90% of VPN traffic flow through ISP1, 90% of Internet traffic will through ISP2. There will be a warning on the screen for Virtual Router restart due to ECMP enablement. In order to enable ECMP and allow the routing and forwarding tables to accept multiple equal cost paths, a routing daemon restart is required. This may cause intermittent traffic loss as the routing process is restarted. We recommend making these changes during a maintenance window if you are on a production network. Configuration Commit It is assumed that the interfaces are mapped to their respective Zones and appropriate Security Policies are configured. Note: The redundant interfaces (ISP links and tunnel interfaces) need to belong to same zones to avoid any session breakage at the time of failover. 2015, Palo Alto Networks, Inc. [9]

With PAN-OS 7.0, the configuration can also be validated now before committing by clicking the Validate Changes button in the options that appear on the Commit window (once you click Commit on the upper left window). Verifying ECMP Routes In the GUI The route table and forwarding table entries will show the default route as well as tunneled routes (via OSPF) as ECMP entries (flag E/e with two routes for the destination). This can be checked by clicking the More Runtime Stats for the given Virtual Router under the Network->Virtual Routers window. 2015, Palo Alto Networks, Inc. [10]

Default Route (Static for Internet traffic) - Route Table Entry Default Route (Static for Internet traffic) - Forwarding Table Entry 2015, Palo Alto Networks, Inc. [11]

OSPF advertised prefix (VPN traffic) Route Table Entry OSPF advertised prefix (VPN traffic) Forwarding Table Entry Note: Each ECMP path will consume an entry in the Routing Table. Each equal cost path to the same destination is effectively to be counted as an independent routing entry while determining routing capacity. In High-Availability (HA) setups: Active/Passive: ECMP configuration and ECMP fib entries are synced to peer. Hence on failover, traffic of existing session is routed to the same next hop. Active/Active: Only ECMP configuration is synced (if VR syncing is enabled). Hence on failover, traffic of existing session is re-routed. 2015, Palo Alto Networks, Inc. [12]

Useful CLI Commands Check ECMP routes and their weights admin@panw-branch> show routing route ecmp yes type static flags: A:active,?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp VIRTUAL ROUTER: ECMP Branch (id 4) ========== destination nexthop metric flags age interface next-as weight 0.0.0.0/0 172.55.15.1 10 A S E ethernet1/6 90 0.0.0.0/0 172.165.9.1 10 A S E ethernet1/5 10 total routes shown: 2 admin@panw-branch> show routing route ecmp yes type ospf flags: A:active,?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp VIRTUAL ROUTER: ECMP Branch (id 4) ========== destination nexthop metric flags age interface next-as weight 192.168.35.0/24 10.1.1.1 20 A OiE 76792 tunnel.1 90 192.168.35.0/24 10.1.2.1 20 A OiE 76792 tunnel.2 10 total routes shown: 2 Test ECMP load distribution using the following test CLI admin@panw-branch> test routing fib-lookup ecmp ip 4.2.2.2 virtual-router "ECMP Branch" -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: ECMP Branch destination: 4.2.2.2 result: via 172.55.15.1 interface ethernet1/6, source 172.55.15.20, metric 10 [selected] via 172.165.9.1 interface ethernet1/5, source 172.165.9.20, metric 10 Different IP addresses can be used to check that the selected path matches the expectation as per the ECMP weighing and load balancing algorithm selected. The same test command can also be used for VPN traffic by selecting an appropriate destination address. admin@panw-branch> test routing fib-lookup ecmp ip 192.168.35.2 virtual-router "ECMP Branch" -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: ECMP Branch destination: 192.168.35.2 result: via 10.1.1.1 interface tunnel.1, source 10.1.1.2, metric 20 [selected] via 10.1.2.1 interface tunnel.2, source 10.1.2.2, metric 20 -------------------------------------------------------------------------------- Revision History Date Revision Comment June 8, 2015 A First release of this document. 2015, Palo Alto Networks, Inc. [13]