Forum Discussion

Mark_van_D's avatar
Mark_van_D
Icon for Cirrostratus rankCirrostratus
Jun 30, 2020

SSL-VPN - Route all traffic via Default Gateway

So another routing question in regards to SSL-VPN.

 

BIGIP has multiple interfaces.

External - 10.0.0.250 - 10.0.0.0/24

Internal - 192.168.10.250 - 192.168.10.0/24 - contains VSs and Nodes (Nodes have 192.168.10.1 - Firewall as Default Gateway)

Default Route is 10.0.0.1 (Firewall) Firewall has route for 172.16.0.0/24 to 10.0.0.250.

 

When connecting using SSL-VPN - IP Lease from 172.16.0.0/24, with SNAT enabled can communicate with everything. However have the requirement to move to a Non-SNAT setup.

 

With Non-SNAT am able to connect to most things except for the Nodes that have the DGW set to 192.168.10.1, which is understandable.

 

I've tried using NEXTHOP and a Forwarding VS to try and direct all traffic from 172.16.0.0/24 to use DGW 10.0.0.1, but not had any luck.

 

How can I direct all IP Lease Pool clients to use 10.0.0.1 as the gateway?

 

 

  • Hello, it should use the DG of the APM/LTM. What makes you think it is not? Might be a good idea to run a pcap and see what is happening with the traffic; you can it in on 0.0 or the connectivity profile itself:

     

    https://support.f5.com/csp/article/K411

    • Mark_van_D's avatar
      Mark_van_D
      Icon for Cirrostratus rankCirrostratus

      Hi Dave,

       

      It does use the DG for most traffic, but not for the network that it has a direct connection to. Which is fine but that network also has servers on it that don't have the F5 as DG.

      I have looked at using Route Domain as well but that brought it's own issues along.

  • Would a layered VS help? Though it may introduce other challenges in your environment.

    https://support.f5.com/csp/article/K03113285

    https://support.f5.com/csp/article/K74534456