irule for internal bigip of vpn sandwich

a customer has more than 500 hundred branch offices which are connected HQ through IPsec VPN.

 

 

Bigip will do VPNLB, like firewall sandwich.

 

 

 

But there was an issue when connection is established from HQ to branch.

 

 

In the diagram, if there is a new connection from HQ to branch1,

 

 

internal bigip may send traffic to VPN2 even though branch1 has IPsec tunnel with VPN1 because internal bigip doesn’t know about where ipsec tunnel is established, then the traffic is dropped on VPN2 which has no IPsec tunnel to branch1.

 

 

 

 

So I made iRule to fix this issue, please see the attached irules

 

 

 

 

vpn_in_irule_final.txt : this rule is applied to virtual server for incoming traffic from branches

 

 

(make a table which classify all branches network-source address and last hop(VPN which has IPsec tunnel for each branch)

 

============================

 

 

 

when RULE_INIT {

 

array set ::vlan2gateway { 4091 172.32.246.11 4092 172.32.245.11 }

 

array set ::dest2gateway { }

 

}

 

 

 

when CLIENT_ACCEPTED {

 

 

 

 

set src [IP::remote_addr]

 

log "hana_before_source_ip= =${src}="

 

 

 

 

set vlanid [LINK::vlan_id]

 

log "hana_vlan id=$vlanid"

 

 

set srcpoi [ expr [ string last "." $src ] - 1 ] indicate C class address space

 

 

set srcaf [ string range $src 0 $srcpoi ] exstract just C class address to reduce table size

 

 

log "hana_after_source_ip= =${srcaf}="

 

 

 

set ::dest2gateway($srcaf) $::vlan2gateway($vlanid)

 

log "hana_TABLE=> [array get ::dest2gateway]"

 

 

pool gate_pool

 

}

 

=====================================

 

 

 

vpn_out_irule_final.txt : this rule is applied to virtual server for outgoing traffic to branches

 

 

(search the table and choose the right node based on destination address)

 

 

=====================================

 

this rule is for traffic which is intiated form HQ

 

 

when CLIENT_ACCEPTED {

 

 

log "hoho_asasa [array get ::dest2gateway]"

 

 

set dest [IP::local_addr]

 

log "hoho_dest ==> $dest"

 

 

set destpoi [ expr [ string last "." $dest ] - 1 ] save just C class network

 

 

set destaf [ string range $dest 0 $destpoi ] extract c class network

 

 

log "hoho_after_dest_ip= =${destaf}="

 

 

 

 

if { [ info exists ::dest2gateway($destaf)] } { if this packet is vpn traffic

 

find network addr from destination addr

 

 

log "hoho_node_ $::dest2gateway($destaf)"

 

 

node $::dest2gateway($destaf) use vpn which has tunnel to the brance office

 

}

 

else { If it's not vpn traffic

 

 

pool vpn_pool just do LB like FLB

 

 

}

 

=============================================

 

 

but there are still problems with these irules

 

 

If branch1 has IPsec tunnel to VPN1 and VPN1 fail happens

 

 

1. then active connections from HQ to branch1 will fail since internal bigip will still send traffic to VPN1

 

 

2. if there is no traffic from branch1 to HQ then even new connections from HQ to branch1 will fail since bigip will directed traffic to VPN1 as well.

 

 

 

 

Additionally there are some risk factors

 

 

I am not sure this irule is the best for this environment.

 

 

I need someone to confirm this irule is the right one. If it is not I need more suitable iRules.

 

 

and I am not sure bigip can handle 200Mbps traffic with these iRules.

 

 

please advice

 

 

Thanks,