Forum Discussion
AltocumulusVPN IPsec through F5 LTM
Hello folks:
I need your kind help for a design considering the following scenario:
Nowadays, I have a firewall that is managing a public segment 200.200.200.0/24 and it is using the 200.200.200.10 to perform two actions: 1) to establish VPN IPsec tunnels towards many other IPsec peers in the internet, and 2) to take out users navigation traffic from the internal network.
I need to displace the firewall so the LTM can manage the public segment. How could achieve this? I need to use the LTM to allow the users navigation and to let pass (passthrough) the VPN IPsec traffic. For the first thing, I think I need a SNAT with 200.200.200.10 as the translation address, but I am not sure about how to treat the VPN IPsec traffic. Do I need special virtual servers to achieve that? Do you think I will have troubles or conflicts because I only have one IP to do both things?
Thanks folks..!
Regards
Jorge
1 Reply
Andrew-F5Employee
Jorge,
You should be able to accomplish this with an IP forwarding or FastL4 virtual server but be sure to follow K14169 to disable the necessary DB variable.
K7595: Overview of IP forwarding virtual servers
K14169: Passing IPsec ESP traffic through an IP forwarding virtual server
Best,
Andrew
