Forum Discussion

REddy's avatar
REddy
Icon for Nimbostratus rankNimbostratus
Jan 26, 2024

F5 APM/SSL VPN/Lease IP's range routing

Hello ,

 

We have a requirement with the routing based on the lease-ip range for 2 SSL VPN URL's.

We have 2 VLANS (External and Internal). External VLAN listens to the traffic from the internet and VIP's are in that range. The Internal VLAN is where the user's traffic will be routed to (Default route) to the internal network.

We have a requirement to provision a new VPN URL on the same APM with a different lease ip range and the traffic must be routed to a different IP other than the one in the default route.

The new internal VLAN & Self-IP's are created where the traffic must be routed to. We have created a FWD VIP with an irule (policy based routing) to select the next hop based on the lease-ip's.

Looks like its not working, the new lease IP's are still getting routed via the default route. I wonder how we can make this irule to trigger ahead of the default route.

 

Any help would be greatly appreciated

 

-Thanks

  • When you provision APM, BIG-IP adds two "hidden" virtual servers to handle the APM tunnel traffic so the admin doesn't have to explicitly set it up. To override it, the virtual server that accepts the traffic must be:

    1- More specific than the hidden virtual's destination address of 0.0.0.0/0. Alternatively you can use a source address set to the lease pool net of the VPN users. Consult that link for details.

    2- Connectivity profile (TMM's virtual PPP access-concentrator interface) is selected in the VLANs selector, or VLAN selector set to All Vlans.

    Afterwards, TMM should select this virtual for traffic ingressing from the VPN users.

    If you want to direct user traffic to different internal routers, there are a lot of different ways to do it:

    • you can use multiple routing virtuals with multiple connectivity profiles (some users get one, some get another).
    • you can use multiple routing virtuals and give your VPN users different lease pools and use the VS's Source selector so TMM selects these different VSs for different users.
    • you can use an iRule that fires on ACCESS_ACL_ALLOWED and sets nexthop to the desired router based on some APM user session data (AD groups, names, etc).

     

  • Ejes's avatar
    Ejes
    Icon for Nimbostratus rankNimbostratus

    How about creating an internal virtual server and routing it to the Pool?

    1. Create two Connectivity Profiles
    2. Apply different Connectivity Profiles to two different URL Virtual Servers.
    3. Create two pools (with the gateway of each different route as a pool member)
    4. Create 2 Internal Virtual Servers
    -- source, destination 0.0.0.0/0
    -- type: performance layer 4
    -- vlan and tunnels -> enabled -> select each connectivity profile
    -- Apply pool
    -- address translation / port translation disable