Forum Discussion
Keith_Richards_
Nimbostratus
NimbostratusLink Controller with IPsec VPN
Has anyone got a configuration of a Link Controller with two ISPs and a Check Point or Cisco IPsec VPN working? If so can you describe your setup?
I'm working along the lines of a standard VS defined with the address of the remote VPN gateway, address and port translation disabled and default resource of the default gateway pool.
I will create a snatpool with the public facing address of my local VPN public address (i.e. the Check Point firewall).
My question here is how can I get all the traffic to stick to one link and only failover when the primary link fails? I'm considering using priority activation - does this sound like it will work?
5 Replies
bruce_p_11387I know this may sound useless, but I have IPSec VPN tunnels working through the LC's, but essentially I had to define a VIP for each tunnel and then it uses a resource of only one link, specifically, the link whose addressing matches the public address of the firewall. SNAT and any other address translation are turned off. It's a forwarding VIP and you define the service port to use all ports as well as allow it to use all protocols.
It works, but I have no failover. I was wondering how you get a tunnel to failover to the other link.- dennypayne
Employee
As I discussed in this thread (Click here) I have only been able to get what bporter suggests to work. Unless the IPsec VPN can handle traversing a NAT, then there is no way to switch links with it.
Denny - IPSec can transverse a NAT. There is an RFC for it and most vendors support it. I had to write an iRule to get IPSEC to work reliably with LC.
wwalla_99196Keith-
Did you ever get this to work correctly?
Thanks!
Walla
Laudec_55181Altostratus
Hi, I was wondering if you could share the details of this config that you did all those years ago :) I have to do something similar, and any help would be appreciated.
