Forum Discussion
rlb63_75866
Nimbostratus
NimbostratusIPsec VPN behind a GTM/Link controller
We are using a GTM/Link controller to load balance multiple internet links all in front of a firewall/vpn device.
The outside interface of the firewall terminates the vpn traffic and is setup as an LTM pool listening on any port
We have multiple ltm vip's also listening on "any" port facing the internet.(Performance L4 with any protocol, address translation but no port transtlation) with a resource of the previously mentioned ltm pool
The vpn client is using NAT-T (udp port 4500) and can connect successfully. After the ike phase 1 initiation and response, the udp traffic starts with some high source port from the client to the vpn/vip on port 4500.
Within a minute and a half, the client disconnects. A capture at the vpn device shows that it is responding to traffic from the original source port as well as another source port.
A tcpdump at the vlan interfaces of the gtm/ltm do not reflect this ... the dumps only show the original client source port.
AND, if we run a tcpdump on the vlan interfaces of the F5 to observe the client traffic, the client appears to stabilize and not drop.
has anyone observed this behavior? any ideas?
Thanks
- The_BhattmanWhat type of IP forwarding did you use to handle the IPSEC Tunnel? My thought is that you use a Virtual Forward set to ALL Protocols.
I hope this helps
Bhattman 
rlb63_75866Thanks
That would work but i think we would be restricted to using one of multiple links for the VPN traffic, so no load balancing across links.
Spidey_29396rlb63, can you share the step by step procedure in making the VPN tunnel UP? Our Current setup
Point-to-Point
Checkpoint<>F5<>internet<>Checkpoint
