Hi , Just wondering , has anyone done a VPN termination which terminates on a firewall behind an F5 link Controller. Having some issues establishing a tunnel despite NAT'ing the Firewall external interface via Virtual Server and SNAT. Previously customer only had one ISP and it was connected directly to their Juniper SSG. Now that the SSG is behind the F5 with a private IP , can't seem to get the tunnel up and running. Anything that i should try besides creating a Virtual server and SNAT'ing the fw external interface to a public IP. Thanks

The only way I've been able to get that to work is by allowing IP forwarding to the network behind the LC from one of the links so that a direct connection can be made to the VPN termination IP. That means that a) the backend network probably has to be publicly routeable and b) the VPN tunnel is confined to one link and won't be able to fail over to any other links. I have frequently heard that there are VPN setups that can work even when NAT'ed but I have yet to see one actually working in the wild. Denny

Got a TCPdump of the whole transaction. It seems the NAT is working on the F5 and is able to reach the Firewall internal interface. However , once packet is sent out to remote host , it stops at the F5 Private ip address. IKE : 172.16.1.1 (f5 self)Responder starts aggresive mode negotiations Gotta start asking in the Juniper forums if they've done this before

Yes, I have seen this working between Check Point Firewall-1 gateways - even works with path probing so the VPN can failover between ISPs. I think that you would be best sending IKE negotiation debug info to a Juniper forum and see if that shows up an issue. There isn't an inherent reason why an IPsec VPN can't work through Link Controllers. To get the F5 to load balance IPSEC packets to and from the firewall you need to create Performance (Layer 4) type of virtual server and made sure that it was set to allow any protocol.

I do have few customer using Link controller to front the VPN gateway. In order for VPN to work behind Link Controller, we need to make sure the VPN gateway work behind the NAT device. I believe most of the current firewall should support this. for incoming traffic ---------------------------------- 1. create VS with port 0 and associate with the firewall_pool. select performanceL4 and select All protocol. 2. create VS with port 500 and associate with the firewall_pool_500. this is for IKE traffic.select performanceL4 and select All protocol. for VPN outgoing traffic ------------------------------ to my understanding we cannot load balance VPN traffic, what we can do is provide failover if the primary link is down. to do VPN outbound LB, 1. create a vpn_gateway_pool with 1 of the link higher priority. 2. create a vpn_wildcard_vs port 500 and associate with vpn_gateway_pool. 3. create a snat_pool with VPN public IP addresses as snat pool members. regards, KY

KY ... Out of topic question ... Wouldn't happen to be Malaysian would you ? If you're the KY i know then thank you very much for putting up with my weekend calls to you hahahahaha Will be trying again with the SNAT automap set to internal users only. Thanks for the help people. Will update once problem is solved. Did a similar installation at another customer site previously , running a 2 tier firewall config , accept it's Watchguard instead of SSG. After much troubleshooting we found out that they enabled NAT on their own interface and set some proxy options on. Disabled those and everything works fine.

VPN connection behind F5 Link controller

35 Replies

kenny_keng_7131
Nimbostratus
Dec 11, 2008
Posted By keith_richards on 05/10/2008 7:41 AM

Yes, I have seen this working between Check Point Firewall-1 gateways - even works with path probing so the VPN can failover between ISPs. I think that you would be best sending IKE negotiation debug info to a Juniper forum and see if that shows up an issue. There isn't an inherent reason why an IPsec VPN can't work through Link Controllers.

To get the F5 to load balance IPSEC packets to and from the firewall you need to create Performance (Layer 4) type of virtual server and made sure that it was set to allow any protocol.

hi keith_richards,

we meet the same problem with checkpoint and F5 LC

our condition: LC has 2 wan link and do NAT job. Checkpoint outside interface use private ip address . we use static NAT ip address at VPN setup in checkpoint.

it can be working ,but can not failover.

as you mentioned : even works with path probing so the VPN can failover between ISPs.

could you please share you configure about checkpoint vpn Configure ?

Thank you very much.
kris_52344
Nimbostratus
Mar 10, 2009
thnks ky,

your solution worked for me.

i wa dealing with juniper firewall..
kris_52344
Nimbostratus
Mar 10, 2009
thnks ky,

your solution worked for me.

i wa dealing with juniper firewall..
wwalla_99196
Nimbostratus
May 01, 2009
Hi there, I will be attempting this with ASA's behind the LC's. Anyone get to anycaveats with this set up or will it be similar?

Thanks!
wwalla_99196
Nimbostratus
May 01, 2009
Hi there, I will be attempting this with ASA's behind the LC's. Anyone get to anycaveats with this set up or will it be similar?

Thanks!
wwalla_99196
Nimbostratus
May 01, 2009
Hi there, I will be attempting this with ASA's behind the LC's. Anyone get to anycaveats with this set up or will it be similar?

Thanks!
tranchungdt5_93
Nimbostratus
Jun 17, 2009
Hi all.

I search in our forum and see the same problem with me ?

I have 2 box ASA behind Link Controller and need VPN to box ASA. Any body has solution ?

Plz, help me.

TC
Chris_Miller
Altostratus
Aug 12, 2009
Bumping this. I have the same problem with a Juniper device behind Link Controller. This worked fine with Radware's LinkProof solution but doesn't seem to work with Link Controller.
jake_macabuag_4
Nimbostratus
Dec 15, 2009
same thing here. it is not working with netscreen firewall with private ip address. i created already PerfL4 VS with port 0 on just one ISP link. My pool member is the private ip of the firewall directly connected to the F5 internal LAN.

we are doomed!!!
Chris_Miller
Altostratus
Mar 31, 2010
I got this working awhile back. Hopefully no one is having a problem!

i turned on "NAT-Traversal" on both sides of the Junipers and had to create an iRule to SNAT my outbound heartbeat packets to match the VS address otherwise the remote devices would see "unrecognized gateway."