Forum Discussion
Eric_Brander_27
Nimbostratus
NimbostratusCommunication between two VPN users
Is there a way to allow direct communication between two VPN users?
I need this allow VOIP CIPC (Cisco IP Communicator) phones to talk directly to each others while connected to the FirePass. Right now when a VPN user using CIPC calls another user also on VPN and using CIPC, the call connects (the Call Manager handles the session connection) but the RTP packets direct from one phone to the other don't make it so there is only silence heard by both parties.
Any suggestions would be appreciated.
Eric
Mike_61719Cirrus
Can you perform a trace on the end-point and on the Firepass?- JMCalalang
Employee
Im not sure if this is the same situation I ran into or not, but i was trying to allow two different VPN users (on two different VPN's/VIP) to communicate. I ended up disabling the vlankeyed option and it allowed me to function correctly. I know there is a way to do it in the GUI i just cant remember where it was but here is the CLI:
"F5 VLan Traffic override"
b db Connection.VlanKeyed disable 
Eric_Brander_27Posted By Mike on 10/28/2011 10:57 AM
Can you perform a trace on the end-point and on the Firepass?
Mike, I'm not sure what you mean here. A packet capture? The packet captures I've done are inconclusive because they are encrypted traffic between the client and the FirePass. I can't see anything past that.I tried to find info on the VlanKeyed setting but come up short. I don't want to make a setting change like that without knowing the implications. Also, I'd like to allow only specific communications from one VPN client to another so that I limit risk of trojan/worm activity spreading to other VPN users.
- jwham20It seems the major change when you disable the Vlankeying is that it will allow for asymetric traffic. The System won't drop traffic that left on one vlan, and came back on a different Vlan.
at least that is how I understand it... if one could call that an understanding...
-----
Warning: This message was sent pre-coffee. The sender does not bear responsibility for any rants/raves/ramblings.
Josh - JMCalalangJosh is correct on what it does, if you have a test environment of course i would suggest running it there. In my environment though I only have one vlan, both of my VPN's terminate at VIP's that are on the same subnet, but to get clients to bridge between the two VPN's i had to stop the F5 from dropping the packets.
i think it actually come down to the f5 has a hidden vlan it uses for routing across the tmm (i forget the name) and when traffic would try to go across that from two different sources (the vips) the F5 would think that traffic coming was bad and dropped my traffic.
Not exactly sure that makes sense to anyone else. =/ - JMCalalangumm if you are looking to allow only certian types of traffic you could specify that in an ACL at the the end of your apm design, similar to where you specify network access resource
- Mike_61719Posted By Eric Brander on 12/06/2011 09:30 AM
Posted By Mike on 10/28/2011 10:57 AM
Can you perform a trace on the end-point and on the Firepass?
Mike, I'm not sure what you mean here. A packet capture? The packet captures I've done are inconclusive because they are encrypted traffic between the client and the FirePass. I can't see anything past that.I tried to find info on the VlanKeyed setting but come up short. I don't want to make a setting change like that without knowing the implications. Also, I'd like to allow only specific communications from one VPN client to another so that I limit risk of trojan/worm activity spreading to other VPN users.
Actually not really. If you have the private key, you can decrypt the traffic. I do it all the time.
