Forum Discussion

Glenn_32974's avatar
Glenn_32974
Icon for Nimbostratus rankNimbostratus
Aug 04, 2010

Outbound IPSEC traffic via Link Controller

Im having an Issue where Im trying to establish a VPN site-2-site connection through a Link Controller but outbound traffic is being SNAT'ed in the way out so my VPN peer at the other end of the tunnel is not accepting the package

 

 

Plese see tcpdump statistics below:

 

 

 

[root@venom:Active] config tcpdump -i VLAN-FW src host 201.234.67.35 and dst host 190.67.7.228 and port 500

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

listening on VLAN-FW, link-type EN10MB (Ethernet), capture size 108 bytes

 

14:34:17.894281 IP 201.234.67-35.static.impsat.com.co.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident

 

14:34:22.911693 IP 201.234.67-35.static.impsat.com.co.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident

 

 

 

[root@venom:Active] config tcpdump -i VLAN-GLOBAL src host 201.234.186.155 and dst host 190.67.7.228 and port 500

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

listening on VLAN-GLOBAL, link-type EN10MB (Ethernet), capture size 108 bytes

 

14:34:17.894303 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident

 

14:34:22.911710 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident

 

14:34:32.926833 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident

 

 

 

LTM VS Config

 

 

ltm virtual outbound-virtual-server {

 

destination any:any

 

mask any

 

persist {

 

source_addr {

 

default yes

 

}

 

}

 

pool Default-gateway-pool

 

profiles {

 

fastL4 { }

 

}

 

translate-address disabled

 

translate-port disabled

 

vlans {

 

VLAN-FW

 

}

 

vlans-enabled

 

 

Pool Config

 

 

ltm pool Default-gateway-pool {

 

allow-nat no

 

allow-snat no

 

load-balancing-mode dynamic-ratio-node

 

members {

 

201.234.186.129:any {

 

session monitor-enabled

 

}

 

}

 

monitor gateway_icmp

 

}

 

 

 

Any ideas on how to disable Source address Translation so packet goes out the Link Controller with source ip 201.234.67.35 instead 201.234.186.155

 

 

thanks in advanced!

 

 

 

config
design
  • johns's avatar
    johns
    Icon for Employee rankEmployee
    Aug 04, 2010
    You can create a virtual server on port 500 for outbound traffic and disable address translation, or translate it to a specific IP (and have this IP added as VPN peer at the remote end). By using a single IP on one of the links, IPSEC is not going to be able to take link redundancy, though
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 04, 2010
    You might have to turn on "NAT-Traversal" on both ends. That's how I got mine working. Also, if you simply want to change SNAT, you can use an iRule... 
    when CLIENT_ACCEPTED {
if { [ip::addr [ip::client_addr] eq x.x.x.x } {
snatpool x.x.x.x }
}
    Something like that would work, where snatpool x.x.x.x contains the address you want this to show up as. Edit - I like John's idea quite a bit too!
  • Glenn_32974's avatar
    Glenn_32974
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2010
    Thanks Chris, John

     

    I'll make config changes tonight and keep you posted on the results!

     

     

    G