For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jul 31, 2008

Forming a 'tunnel' between F5 pairs...

  I have an idea... Well... It's a possible solution for an interesting challenge I have.     Is it possible for an iRule to ALTER an IP field (e.g. srcIP/port) in a packet before tra...
application delivery
dev
devops
iRules
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Jul 31, 2008
For TCP, you can do this with something like this....

 

On client side vip

 

- snat to LTM address

 

- point to pool which contains remote side LTM vip as a member (or use node command)

 

- iRule to insert src/dst IP/port at beginning of TCP payload

 

- serverside ssl

 

 

On server side vip

 

- clientside ssl

 

- irule to extract original src/dst IP/port and remove it from beginning of TCP payload

 

- use src IP/port information from previous step with snat command, use dst IP/port with node command

 

 

For UDP, you probably can do as well but without ssl. (other encryption may work)