Forum Discussion

Nicolas_ROMERO_'s avatar
Icon for Nimbostratus rankNimbostratus
Jun 19, 2017

SNAT irule doesn't match for a FastL4 VS for an IPSEC VPN

Hi everybody,

I have a problem to bring up an IPSEC Tunnel between 2 firewall with one of them behind an F5 BIGIP.

What I did :

  • Create a VS FastL4 (Source Address, Destination Address my_public_ip_used_for_the_vpn, Service port All_Ports, Protocol All, Source Address Translation NONE).
  • For the SNAT I tried to use a SNAT POOL
  • For the SNAT I tried to use an iRule :

when CLIENT_ACCEPTED {     if { [IP::addr [IP::client_addr] equals] } {        snat X.X.X.X.85        nexthop X.X.X.X.1        log local0. " -- SNAT VPN IPSEC S2S -- [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"       }       }

  • For the SNAT I tried to use GUI :

In all case the F5 doesn't take my SNAT rule and the traffic take another public IP. On the peer device (which is not behind an F5) I have a log "Asymmetric Routing". It's normal because he tries to establish the tunnel with an IP and there is another IP that respond to him.

On the F5 I can see it on the logs

16:30:36.409542 IP Y.Y.Y.Y.isakmp > X.X.X**.85**.isakmp: isakmp: phase 1 I ident

16:30:51.939720 IP > Y.Y.Y.Y.isakmp: isakmp: phase 1 I ident

16:30:51.939732 IP X.X.X**.251**.20251 > Y.Y.Y.Y.isakmp: isakmp: phase 1 ? ident

The peer device seems to successfully contact my firewall on Y.Y.Y.85 but the F5 respond with the Y.Y.Y.251

Is there anything that I forgot in the configuration?

No RepliesBe the first to reply