Forum Discussion
tub91
Cirrus
CirrusSSL-VPN - Route all traffic NOT via the default gateway but via the CUSTOM gateway
Hi, We are working to implement a new VPN stream that ends on F5. Our goal is to terminate the SSL VPN on F5 but filter the traffic on the firewall, we don't want to do ACLs on F5. We need to set ...
Hi tub91
I would suggest that because you need a different default route for the VPN traffic, you might want to consider moving the DMZ2 subnet into its own VLAN (if not already) and then attach that VLAN to its own route domain, along with the lease pool.
In my lab I added a route domain called VPN, with ID 10. I added the VLAN for VPN clients to it, and added my self IPs with route domain notation in the form of 10.1.20.5%10.
Next, I set a default route for the route domain with the following parameters:
Destination: 0.0.0.0%10
Netmask: 0.0.0.0
Gateway Address: 10.1.20.1%10
In the Access Policy's VPE, on the same branch where I assign the network access resource, I added a Route Domain Selection Agent, and set the Route Domain created earlier.Last, if you don't want to use SNAT, set a route on your firewall for the lease pool pointing to the F5's self-IP in the DMZ2 subnet.
Note, there are some limitations that apply to APM and route domains: https://support.f5.com/csp/article/K20465715
Hope this helps,
Josh
tub91Cirrus
CirrusI confirm that the DMZ2 subnet is in a dedicated VLAN. We had hypothesized that Route Domains could solve the problem but we wanted to find out if another way was possible.
We have never created another Route Domain. Could the addition of a route domain lead to some problems in the configuration of all the flows already present?
I see that the% ID_VLAN character must be added for the IP of the new route domain.
Is the addition of the% ID_VLAN character to be done also for all the IPs in the default and already existing route domain 0?
Thank you very much