IP spoofing for H.323 traffic using loose intitiation and loose close

serverB F5 ServerA(where call initiates from)

 

 

ServerA IP: 1.1.1.1 (dynamic port between 30000 - 300010) (and has loopback of ip 1.1.1.2 )

 

serverB IP: 2.2.2.2

 

F5: 1.1.1.2 as VIP (which has profile w/ loose intitiation and loose closing enabled)

 

 

[ expectation ]

 

phase A)

 

serverB F5 serverA

 

^ |

 

|_____________________sync____________________________| (destination IP:2.2.2.2 source IP: 1.1.1.2)

 

 

phase B)

 

serverB--------------syn/ack------------> F5 serverA

 

 

phase C)

 

serverB F5------syn/ack--------->serverA

 

 

phase D)

 

serverB F5 serverA

 

^ |

 

|_____________________ack_____________________________|

 

 

 

 

 

Idea behind this is that we are trying to spoof the IP of VIP on F5 so that ServerB thinks that connection is coming

 

from common IP(1.1.1.2) and then based on the ports(via irule), F5 forwards it to right server(in this case, ServerA), this

 

allows us to be able to seamlessly add as many server as possible without serverB needing to add new ip to be allowed.

 

 

This is based on H323 call flow and where we see failure is that when ServerA initiates a tcp syn message(source IP

 

on that message will be 1.1.1.2) to serverB, F5 gets syn/ack message from serverB, it does not trigger the irule and

 

therefore syn/ack never makes it back to ServerA.(and therefore 3 way handshake never happens).

 

 

I have already escalated though F5 but not going anywhere.. is there anybody here who might have done this already and working?