Forum Discussion
LuisPuma_134788
Altostratus
AltostratusCheckpoint IPSec Error
Hello friends,
I just deployed F5 to load balance incoming IPSec traffic which belongs to a tunnel between two Checkpoint devices.
By issuing a capture in the virtual server of the F5, I go...
LuisPuma_134788Altostratus
AltostratusJust issued a capture. It shows that the F5 is always changing the port to 14270 value. xxx.xxx.xxx.xxx is te client IP and the yyy.yyy.yyy.yyy is the virtual server configured in the F5.
[root@ns2:Active:Changes Pending] config tcpdump -n -i 0.0:nnn host xxx.xxx.xxx.xxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 96 bytes
16:45:34.278919 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I]
16:45:34.278935 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I]
16:45:34.367242 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa ikev2_init[]
16:45:34.626446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2
16:45:39.553492 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2
16:45:40.576115 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2
16:45:41.592765 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2
16:45:42.571266 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident
16:45:42.571282 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident
16:45:42.663164 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf
16:45:44.571349 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident
16:45:44.571366 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident
16:45:44.643419 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2
16:45:44.671446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf
16:45:46.571440 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident
16:45:46.571456 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident
- F5 Changes source port by default (ports are used for load-balancing traffic processing jobs internally). It should be possible to modify that behaviour by looking at the "Source Port Preserve" settings on the Virtual Server. However, I can't recall if ISAKMP is sensitive to source ports, so I'm not sure if that even matters. Note also that if you change the source-port preserve setting from default, you may also need to demote CMP for that VIP in order to avoid "packet loss". By demoting CMP, only CPU0/TMM0 will handle the traffic for that VIP, which is what you want when you disable source port translation. If you are concerned about the privacy of your IP addresses, you should create a support case.
