Forum Discussion
faycal_29095
Nimbostratus
NimbostratusVirutal Server for VPN
hi everybody;
i create a Virtual server, type standard (0.0.0./0) for VPN use (UDP 500).
but i see only some packet in this VS.
please, can you help me to understand where exactly can we found the trafic of this VPN? is it in the VS Wildcard or in this VS ?
thanks.
6 Replies
- JRahm
Admin
Did you enable all protocols on that virtual server? Traditional IPSec uses udp/500, but also protocol 50 (ESP), which would be discarded if you have only allowed udp. 
faycal_29095hello;
i just enable a UDP/500.
but how can i enable also the protocole ESP on this VS? is it possible ?
ESP is it a TCP 50?
thanks for your help- JRahmESP is not a tcp/udp protocol. In IPv4 protocol field, tcp is 6, udp is 17, and esp is 50. You will need to enable all protocols for this to work. I have attached a snapshot of the GUI configuration
- faycal_29095we already have a VS Wildcard Forwarding IP (see the attached capture). this VS load balance the internal traffic to internet using two ISP.
how can i do to pass a VPN traffic to only one ISP ?
is it possible to create a VS Standard, 0.0.0.0/0 ? but how can i specifie that this VS should passe only the VPN trafic ?
can i create a VS ForwardingIP, with as destination the IP of the gateway Peer of VPN ?
please tell me what is the best solution to resolve my issue
thank you - JRahmI would do this by applying a virtual 0.0.0.0/0 against ONLY the internal vlan, with a rule applied (below). I am not sure I understand your requirements as a couple of them seem conflicting. Here's a start for you, and If I am misunderstanding, please post back. Also, if you use AH or NAT-T at all, you'll also need to allow for protocol 51 and udp/4500 (respectively)
when CLIENT_ACCEPTED { if { [IP::protocol] == 50 } { pool isp-gateways member ISP1 } elseif { [UDP::local_port] == 500 } { pool isp-gateways member ISP1 } else { pool isp-gateways } }
Of course, you'd need to make sure you have a forwarder for your internal vlan as well applied ONLY to the public-facing vlan. - faycal_29095i will axplain you my situation.
First we had one ISP, and we have also some internal server that need to be Snated to IPs from ISP01.
we created a VS Wildcard 0.0.0.0/0, all protocols; and we apply this Irule :
when LB_SELECTED {
if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {
snat 196.1.1.1
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {
snat 196.1.1.2
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {
snat 196.1.1.3
} else {
snat automap
}}
Now we integrated a second link ISP02. and we would like to load balande traffic in the two ISP. But not for VPN and for the internal servers that must be Snated; for these two cases, the trafic must go through ISP01.
we think that by creating another VS dedicated for VPN traffic; we can resolve this issue. so we can keep the VS wildcard forwarding IP with the IRULE as below:
when LB_SELECTED {
if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {
snat 196.1.1.1
pool pool_ISP01
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {
snat 196.1.1.2
pool pool_ISP01
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {
snat 196.1.1.3
pool pool_ISP01
} else {
snat automap
pool pool_gateway_ISPs
}}
but my problem now is what kind of VS for VPN trafic must i create? and how to configure it to support all trafic of VPN ?
i hope that you understund my case and i thank you in advance to help me.
