VNP Configuration Behind Link Controller

Question

Hi, 
&nbsp; Just wondering , has anyone done a VPN termination which terminates on a firewall behind an F5 link Controller. I think that my configuration is Ok  but the IKE tunnel is always in MM_WAIT_MSG2  state. 
&nbsp; I try this configuration: 
&nbsp;  
&nbsp;  
&nbsp;   
&nbsp; For VPN incoming traffic: 
&nbsp; I have created a VS with port  0 and asocciate with the firewall_internal_pool selecting performance L4 and I have selected all protocols: VS_ENTRADA 
&nbsp; I have created a VS with port  500 and asocciate with the firewall_internal_pool select performance L4 and I have selected all protocol: VS_ENTRADA_500 
&nbsp;  
&nbsp; for VPN outgoing traffic  
&nbsp;  
&nbsp;   I have created a vpn_gateway_pool with the internal IP of the router. 
&nbsp; I have created a VS_SALIDA_500 port 500 and I have associated with the vpn_gateway_pool selecting permance L4 and all protocols. 
&nbsp; And finally I have created  a snat_pool with VPN public IP addresses as snat pool members aplied to the VS_SALIDA_500. 
&nbsp;

dennypayne · Answer

Your configuration should work as long as the VPN supports NAT traversal.  I personally have never seen one that handles this properly, but I'm told they exist.  I've always had to allow IP forwarding directly to the VPN address so that it isn't NAT'ed, but then your VPN connection is pinned on one link and won't fail over to the other one. 
&nbsp;  
&nbsp; Denny

sito79 · Answer

Yes,my configuration supports that kind of Nat..I don´t know how to solve this problem.  
&nbsp; Don´t you think than it could be a problem on the client side (ip address, firewall rule and nat etc)?

jrahm · Answer

port usage for nat is tricky based on many factors, including whether your firewall is the initiator or the responder, or possible to be both.  You may need a default forwarder 0.0.0.0:0 outbound from your firewall connected vlan unless you know all your peer endpoints, but you might get by with 500/4500 udp ports enabled in both directions.  I doubt this will cover every scenario, however, because whereas a stateful firewall will build the chain to return a packet sourced to your allowed destination (in this case, 500/4500), the LTM will not.

Forum Discussion

VNP Configuration Behind Link Controller

3 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Create cipher group in f5

Buy F5 Big-IP Virtual Edition Lab licence in FR

VMware Horizon app and X-Forwarded-For

Requests with 307 responses not logged (missing) in ASM events

Big-IP sending Health Check to not-used Node-IP

Related Content

Announcing F5 NGINX Ingress Controller v4.0.0

Overview of API Access Control and implementing API key access control with BIG-IP APM

Integrating Hashicorp Vault with Cert Manager and F5 NGINX Ingress Controller

Distributed caching of authentication requests with NGINX Ingress Controller

ExternalName Service and Authentication Subrequests with NGINX Ingress Controller

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS