Forum Discussion
Harris_Hassan_3
Nimbostratus
NimbostratusVPN connection behind F5 Link controller
Hi ,
Just wondering , has anyone done a VPN termination which terminates on a firewall behind an F5 link Controller. Having some issues establishing a tunnel despite NAT'ing the Firewall external interface via Virtual Server and SNAT.
Previously customer only had one ISP and it was connected directly to their Juniper SSG. Now that the SSG is behind the F5 with a private IP , can't seem to get the tunnel up and running.
Anything that i should try besides creating a Virtual server and SNAT'ing the fw external interface to a public IP.
Thanks
35 Replies
Jack_39703Hi Chris
can you post the iRule for reference? thanks.
Jack- Chris_Miller
Altostratus
Jack,
It'd be something like this:
when CLIENT_ACCEPTED {
if { [IP::client_addr] eq x.x.x.x } {
snatpool snatpool_y.y.y.y } }
x.x.x.x would be the private IP that your VPN listens on and snatpool_y.y.y.y would be the name of a SNAT Pool containing your VPN's public IP address. 
hoolioCirrostratus
if { [IP::addr [IP::client_addr] equals x.x.x.x] } {
:)
Jim_Sellers_473Bumping this again .... why do you need to build a port 500 vs when your already using a 0 port ?- Jim_Sellers_473Bumping this again .... why do you need to build a port 500 vs when your already using a 0 port ?
- jake_macabuag_4That is also our concern, sometimes we need to put a specific service for the traffic to pass. seems like port 0 or any:any is not working for us. Sample, we need to create an outbound virtual service any:11000 just in order to pass this traffic wherein fact any:any (outbound) should be fine
- Jim_Sellers_473Hmm.... did we find a bug here?
- jake_macabuag_4the units are in HA mode. neither would work fine. Upgraded already both to version 10. might be a hardware issue already
- Jim_Sellers_473Aaron? Whats your thoughts on this ?
ezbutton_21064I think the poster that built the port 500 and then the 0 port added the port 500 vs first, and added the 0 port vs afterwards. My guess is that the 0 port allowed NAT traversal, and that the 0 port vs could have been set to 4500 UDP for NAT traversal as well.
