Forum Discussion
Nimbostratusipsec
Hello everybody,
I have an architecture with 24 IPSEC servers behind a BigIP 2000 cluster.
Customers are mobile phones configured with a public address as an IPSEC termination.
Each public address corresponds to a VS to which is attached a pool of 2 servers in priority group (a master and a slave).
In the 24 servers, each is master of a VS and slave of another VS, the distribution of customers is by region.
In order to have a more equitable distribution of customers (especially during the loss of a server), I try to set up a single VS with a pool containing all of my servers.
Is it possible to do that with LTM?
I can not find a solution, how to make persistence for such a flow with dynamic client addresses? In addition, the VPN connection is established in 2 times with UDP 4500 and UDP 500, how to make the second stream sent to the same server?
Thank you in advance for your help.
- boneyard
MVP
from what i understand you want to load balance IPsec through the BIG-IP
first of all make sure you disable the F5 looking at the ipsec traffic, else it will fail
https://support.f5.com/csp/article/K14169
it suggests L4 which i would keep on any service, so you don't have to worry about difference between 4500 and 500 and ESP protocol
for persistence you need to look at the options
if IP source based persistence isnt possible due to change client IP you need to find something else.
it might be you just get different tunnels every time
https://devcentral.f5.com/questions/load-balancing-vpn-connection
