Hello, good afternoon, as always thanks for the collaboration, the good vibes and your time.
I have a question regarding a particular VPN Site to Site issue.
Example in the following case:
I have two tunnels Ipsec Primary and Secondary. Both up and active.
Tunnel 1: 200.200.200.200.200 destination peer 199.199.199.199.199
Tunnel 2: 200.200.200.200.200 destination peer 198.198.198.198.198
Through both tunnels the network 172.28.0.0./24 is reached.
We currently have two routes, a floating route, i.e. the main route with a path monitoring, and the other route, which in case of a failure condition, takes the route out of the FIB and enters the route with the next metric. This operates correctly, without problems.
Now the next question:
1.- If I wanted to use the two tunnels simultaneously, i.e. example could be that some networks go through a tunnel and other networks go through the other secondary tunnel or that all go against a tunnel and against another, type round robin. I understand for this I should use, from the AP side, active ECMP, with the routes of the tunnel interfaces with the same metric. I understand that for my side to adjust and use ECMP, but what happens from the other end, if it is a Palo Alto or any other vendor, the other end should also have something like ECMP so that also the other end can return and/or send the traffic through both tunnels, right?
2.- Now thinking in an environment without being able to use ECMP, without being able to use, this would work ? What example if I start the communication and send traffic through the secondary, but the return of traffic from the other peer, goes through the main tunnel, Palo Alto supports that, that is to say that the traffic is sent through a tunnel interface and returns through the other one? I understand that on my side I must allow asymmetric traffic, that from my side, but the other peer should also allow and / or support asymmetric traffic, because otherwise this would not work, but this would operate correctly looking to use both in parallel ?
Thanks for your time, for your comments, for your time, for your good vibes and for your collaboration.
Thank you
Best regards
if you're going to use ECMP its a good idea to do that on both sides, just so you retain some synchronicity. Not all 'devices' may need that though, you can connect 2 palo alto's and as long as the zones on both tunnels are identical it won't matter which tunnel is used for reply packets. ergo, if you can't do ECMP on the remote end, it will probably not be a big problem unless the remote side get's it's state table up in a bunch
in short, most likely yes if you use the same zones on the tunnel interfaces you dont even need to enable asymmetric traffic