VPN connection behind F5 Link controller

The only way I've been able to get that to work is by allowing IP forwarding to the network behind the LC from one of the links so that a direct connection can be made to the VPN termination IP. That means that a) the backend network probably has to be publicly routeable and b) the VPN tunnel is confined to one link and won't be able to fail over to any other links.

 

 

I have frequently heard that there are VPN setups that can work even when NAT'ed but I have yet to see one actually working in the wild.

 

 

Denny

Got a TCPdump of the whole transaction. It seems the NAT is working on the F5 and is able to reach the Firewall internal interface. However , once packet is sent out to remote host , it stops at the F5 Private ip address.

 

 

IKE : 172.16.1.1 (f5 self)Responder starts aggresive mode negotiations

 

 

Gotta start asking in the Juniper forums if they've done this before

Yes, I have seen this working between Check Point Firewall-1 gateways - even works with path probing so the VPN can failover between ISPs. I think that you would be best sending IKE negotiation debug info to a Juniper forum and see if that shows up an issue. There isn't an inherent reason why an IPsec VPN can't work through Link Controllers.

 

 

To get the F5 to load balance IPSEC packets to and from the firewall you need to create Performance (Layer 4) type of virtual server and made sure that it was set to allow any protocol.

 

I do have few customer using Link controller to front the VPN gateway.

 

In order for VPN to work behind Link Controller, we need to make sure the VPN gateway work behind the NAT device. I believe most of the current firewall should support this.

 

 

for incoming traffic

 

----------------------------------

 

1. create VS with port 0 and associate with the firewall_pool. select performanceL4 and select All protocol.

 

 

2. create VS with port 500 and associate with the firewall_pool_500. this is for IKE traffic.select performanceL4 and select All protocol.

 

 

 

for VPN outgoing traffic

 

------------------------------

 

to my understanding we cannot load balance VPN traffic, what we can do is provide failover if the primary link is down. to do VPN outbound LB,

 

 

1. create a vpn_gateway_pool with 1 of the link higher priority.

 

2. create a vpn_wildcard_vs port 500 and associate with vpn_gateway_pool.

 

3. create a snat_pool with VPN public IP addresses as snat pool members.

 

 

 

regards,

 

KY

KY ...

 

 

Out of topic question ...

 

 

Wouldn't happen to be Malaysian would you ?

 

 

If you're the KY i know then thank you very much for putting up with my weekend calls to you hahahahaha

 

 

Will be trying again with the SNAT automap set to internal users only.

 

 

Thanks for the help people. Will update once problem is solved.

 

 

Did a similar installation at another customer site previously , running a 2 tier firewall config , accept it's Watchguard instead of SSG. After much troubleshooting we found out that they enabled NAT on their own interface and set some proxy options on. Disabled those and everything works fine.

Double post , apologies

Close to a solution now. Hopefully it's a permanent solution.

 

 

Achieved this by setting the Host ID on the Juniper firewall to point to the remote server.

 

 

Posted By kky on 05/12/2008 6:46 PM

 

 

 

I do have few customer using Link controller to front the VPN gateway.

 

In order for VPN to work behind Link Controller, we need to make sure the VPN gateway work behind the NAT device. I believe most of the current firewall should support this.

 

 

for incoming traffic

 

----------------------------------

 

1. create VS with port 0 and associate with the firewall_pool. select performanceL4 and select All protocol.

 

 

2. create VS with port 500 and associate with the firewall_pool_500. this is for IKE traffic.select performanceL4 and select All protocol.

 

 

 

for VPN outgoing traffic

 

------------------------------

 

to my understanding we cannot load balance VPN traffic, what we can do is provide failover if the primary link is down. to do VPN outbound LB,

 

 

1. create a vpn_gateway_pool with 1 of the link higher priority.

 

2. create a vpn_wildcard_vs port 500 and associate with vpn_gateway_pool.

 

3. create a snat_pool with VPN public IP addresses as snat pool members.

 

 

 

regards,

 

KY

 

 

 

Would you have to do this for every IPSEC tunnel you have, or would you do this just once per firewall on your public address space (i.e. one for fw 192.168.1.1 & once for 192.168.1.2)?

 

 

Can someone inform about the final configuration required to have IPSec Tunnel up and running with a firewall behind the Link Controller (using private IP)

Posted By tkito on 10/20/2008 4:40 AM

 

Can someone inform about the final configuration required to have IPSec Tunnel up and running with a firewall behind the Link Controller (using private IP)

 

 

 

Ky's solution is a working one. The problem with doing this is the configurations you need to make on the firewalls themselves. Since each firewall has their own set of technologies , you might need to check up on them.

 

 

E.g , i did on e for Juniper and you had to set in the host id. Currently doing one implementation with Watchguard and isn't going as smoothly as i had hoped.

 

 

In general though , it's best to remember to turn of public NAT and any proxying if available on the firewall.

 

 

Hope that helps. On the F5 portion it's pretty straighforward tho