VPN connection behind F5 Link controller

Nimbostratus

Feb 11, 2014

Hi guys,

We have some setups following some of the suggestions presented here, including the need of special VSs, like 500.

Also we had dealed with IPSECv1 and IPSECv2 Site-to-Site VPNs, L2TP, IKE, SSL client-to-site VPNs.

One related matter that still bothering us is the Check Point SSL Network Extender client for Linux. It´s a compiled program using OpenSSL and other stuff that requests some HTTPs URLs from VPN-1 Gateway and parses it´s replies searching for special var=values pairs.

Even on R77.10, checkpoint does not have, or i havent found it yet, way to set the gw_ip that´s replied to SNX for Linux telling that it does use a NATed IP to recieve connections behind a NAT FW or F5. This option should follow IPSEC->Link-Selection->Incomming option for Site-to-Site VPNs or the GuiEdit fun part for RemoteAccess (basically setting RA-like variables thru the CheckPoint internal "registry" which are not yet avaliable at SmartDashboard gui).

So, back to F5 world, we tried :

ltm pool /Common/pool_vpngw_443 { members { /Common/172.NN.XX.200:443 { address 172.NN.XX.200 } } monitor /Common/tcp_half_open } ltm virtual /Common/vs_vpngw_443 { destination /Common/177.NN.XX.8:443 ip-protocol tcp mask 255.255.255.255 pool /Common/pool_vpngw_443 profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans-disabled }

And the SNX fails when stablishing the last part before openning the ssl tunnel ´cause it recieves the VPN-1 Gateway external IP, which is reserved One.

Changed VS to

ltm virtual /Common/vs_vpngw_443 { destination /Common/177.NN.XX.8:443 ip-protocol tcp mask 255.255.255.255 pool /Common/pool_vpngw_443 profiles { /Common/clientssl_lab_vpn-1 { context clientside } /Common/http { } /Common/tcp { } } rules { /Common/irule-sslvpn-linux } source 0.0.0.0/0 source-port preserve-strict translate-address enabled translate-port disabled vlans-enabled } ltm rule /Common/irule-sslvpn-linux { when HTTP_REQUEST { if {[HTTP::uri] contains "172.NN.XX.200"} { HTTP::uri [string map {"172.NN.XX.200" "177.NN.XX.2"} [HTTP::uri]] } } }

At Linux SNX client´s debug i could see that the gw_ip has changed, but the ssl tunnel could not be stablished.

Windows clients works from the start with original configuration.

Any1 have a solution for it ?

Forum Discussion

VPN connection behind F5 Link controller

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

f5 asm reporting aggregate

Running version of Tenant during Deployement shows Unavailable

ISP link latency

is it possible to deploy a Tenant using "resource-admin" user ?

Dealing with iRule $variables for HTTP2 workload while HTTP MRF Router is enabled

Related Content

JWT authorization with NGINX Ingress Controller

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

Announcing F5 NGINX Ingress Controller v4.0.0

Privileged Access in Action: Technical Controls for Real-World Environments

Overview of API Access Control and implementing API key access control with BIG-IP APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS