For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cawong23_136311's avatar
cawong23_136311
Icon for Altostratus rankAltostratus
Feb 24, 2017

Site to site ipsec vpn pass through Link Controller

Hi all,   Recently I need to configure LC to pass through site to site ipsec vpn traffic, I have checked f5 and devcentral resources but there are no detailed configuration or manual talking abou...
BIG-IP
LTM
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Mar 05, 2017

Hi,

when I deploy a LC, I use this irule for outgoing VS (this is the only one except the one for FTP)

when RULE_INIT {
    unset static::SnatPolicy
    array set static::SnatPolicy {
        "10.1.1.1" {"gateway_pool_isp1" "1.1.1.1" "1.1.2.1"}
        "10.1.1.2" {"gateway_pool_isp2" "1.1.1.2" "1.1.2.2"}
        "10.1.1.3" {"default_gateway_pool" "1.1.1.3" "1.1.2.3"}
        "default" {"default_gateway_pool" "1.1.1.4" "1.1.2.4"}
    }
     Format: 
     "source IP Address" {"gateway pool" "NAT when ISP1" "NAT when ISP2"}
}

when CLIENT_ACCEPTED {
    if { [info exists static::SnatPolicy([IP::client_addr])]}{
        set clientip [IP::client_addr]
    } else {
        set clientip "default"
    }
    pool [lindex $static::SnatPolicy($clientip) 0]
}

when LB_SELECTED {
    if { [IP::addr [LB::server addr]/24 equals 1.1.1.0]} {
        set link 1
    } else {
        set link 2
    }
    snat [lindex $static::SnatPolicy($clientip) $link]
}

The VS is performance Layer4 with default gateway_pool and with any protocols

I also create one pool per ISP:

gateway_pool_isp1 and gateway_pool_isp2 with both gateway as member but with priority group activation