Forum Discussion
svs
Cirrostratus
CirrostratusAPM SSLVPN with layered virtual
Hi guys,
I'm trying a new (for me), but oftenly recommended by F5 SEs, setup with layered virtuals. In my testing environment, I have only one single IP address. This is used for a standard virtual...
adri8n
Nimbostratus
NimbostratusI'm using SNI routing configured almost exactly like the article, matching at client ssl hello and forwarding to an APM SSLVPN enabled VS.
Same symptoms as OP.
Is there some other magic to making this work, or is it not supported?
Sven, did you ever happen to get this to work?
svsCirrostratus
CirrostratusHi,
yes I got this working. Can't remember, why I didn't respond to Stanislas answer.
My LTM Policy looks like the following:
ltm policy SNI-Routing {
controls { forwarding }
requires { client-ssl }
rules {
Default {
actions {
0 {
log
ssl-client-hello
write
facility local0
message "Nothing mathed on hostname"
priority info
}
}
ordinal 1
}
vpn.example.com {
actions {
0 {
forward
ssl-client-hello
select
virtual /Common/vpn.example.me_ap_vs
}
}
conditions {
0 {
ssl-extension
ssl-client-hello
server-name
values { vpn.example.com }
}
}
}
}
status published
strategy first-match
}VS
ltm virtual vpn.example.me_ap_vs {
destination 1.1.1.10:443
ip-protocol tcp
mask 255.255.255.255
profiles {
http { }
ppp { }
rba { }
tcp { }
vpn.example.me_ap { }
vpn.example.me_ap_cp {
context clientside
}
vpn.example.com {
context clientside
}
websso { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}VS DTLS
ltm virtual vpn.example.me_ap_vs_dtls {
destination <External Self IP>:4433
ip-protocol udp
mask 255.255.255.255
profiles {
ppp { }
udp { }
vpn.example.me_ap_cp {
context clientside
}
vpn.example.com {
context clientside
}
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}The DTLS VS is not going through the LTM SNI Routing policy. Instead it is, in my case, bound directly to the external Self IP, with only SSL client profile and connectivity assigned.
APM Profile
apm profile access vpn.example.me_ap {
accept-languages { en }
access-policy vpn.example.me_ap
app-service none
customization-group vpn.example.me_ap_logout
default-language en
eps-group vpn.example.me_ap_eps
errormap-group vpn.example.me_ap_errormap
framework-installation-group vpn.example.me_ap_framework_installation
general-ui-group vpn.example.me_ap_general_ui
generation 1
generation-action noop
log-settings {
default-log-setting
}
modified-since-last-policy-sync true
type all
user-identity-method http
}Connectivity Profile:
apm profile connectivity vpn.example.me_ap_cp {
adaptive-compression enabled
app-service none
client-policy {
vpn.example.me_ap_cp {
ios-ec {
save-password true
}
ios-ep {
save-password true
}
}
}
compress-buffer-size 4096
compress-cpu-saver true
compress-cpu-saver-high 90
compress-cpu-saver-low 75
compress-gzip-level 6
compress-gzip-memlevel 8192
compress-gzip-window-size 16384
compress-ingress false
compression enabled
compression-codecs { deflate lzo bzip2 }
customization-group vpn.example.me_ap_cp_secure_access_client_customization
defaults-from connectivity
deflate-compression-level 1
description none
fec-name none
location-specific false
tunnel-name vpn.example.me_ap_cp
}Hopefully this help.
Cheers
Sven