Forum Discussion
Configure F5 for IPsec VPN as pass through
Hello,
We wish to implement the IPsec VPN via F5.
The traffic flow as, Client(windows mobile) --> Internet --> Firewall --> LTM(one armed mode, SNAT) --> Microsoft TMG.
When we try to configure as standard virtual server(on port UDP 500 & 4500), source IP based stickiness & with SNAT, the client are able to establish tunnel and access their application.
But frequently, they are getting error message as "VPN server is unavailable"
If the client establish IPSec tunnel directly to TMG, we are seeing the communication is happening with ESP(UDP 50) and they are not getting error?
Kindly let me know the standard configuration for IPSec VPN pass through configuration also IPSec VPN with standard virtual server won't work or ?
Thanks in advance.
Regards, Kannan.
- Matt_DierickEmployee
Hi Kannan,
I'm used to setting Forward VS for IPSEC and I use this DB variable : https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14169.html?sr=49639030
I would say, take a trace and check every packet destination port.
Hello Matthieu,
Thanks for your update. Just want to know are you using SNAT?
- Matt_DierickEmployee
Did tests with and without. Working for both of them.
- zeiss_63263Historic F5 Account
As a postscript to this thread: the ipsec.lookupspi is only of relevance when the data flow happens as ESP in IP and not ESP in UDP port 4500 (in IP). When NAT is detected, the IPsec peers should switch to UDP port 4500 and the ESP once the tunnel is established will be encapsulated in UDP.
In such a scenario ipsec.lookupspi is of no relevance because the connection flow characteristics are set up based on the IP/UDP data.
In the scenario that Kannan has proposed, SNAT is supported on the Virtual Server (make sure it is a forwarding Virtual Server), however that also guarantees that the float to UDP port 4500 will happen and so ipsec.lookupspi is redundant in this scenario.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com