Forum Discussion
Keith_Richards_
Nimbostratus
May 12, 2008Link Controller with IPsec VPN
Has anyone got a configuration of a Link Controller with two ISPs and a Check Point or Cisco IPsec VPN working? If so can you describe your setup?
I'm working along the lines of a standard VS defined with the address of the remote VPN gateway, address and port translation disabled and default resource of the default gateway pool.
I will create a snatpool with the public facing address of my local VPN public address (i.e. the Check Point firewall).
My question here is how can I get all the traffic to stick to one link and only failover when the primary link fails? I'm considering using priority activation - does this sound like it will work?
5 Replies
- bruce_p_11387
Nimbostratus
I know this may sound useless, but I have IPSec VPN tunnels working through the LC's, but essentially I had to define a VIP for each tunnel and then it uses a resource of only one link, specifically, the link whose addressing matches the public address of the firewall. SNAT and any other address translation are turned off. It's a forwarding VIP and you define the service port to use all ports as well as allow it to use all protocols. - dennypayne
Employee
As I discussed in this thread (Click here) I have only been able to get what bporter suggests to work. Unless the IPsec VPN can handle traversing a NAT, then there is no way to switch links with it. - JackofallTradesHistoric F5 AccountIPSec can transverse a NAT. There is an RFC for it and most vendors support it. I had to write an iRule to get IPSEC to work reliably with LC.
- wwalla_99196
Nimbostratus
Keith- - Laudec_55181
Altostratus
Hi, I was wondering if you could share the details of this config that you did all those years ago :) I have to do something similar, and any help would be appreciated.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects