Forum Discussion
NimbostratusVPN Traffic through F5 BIG-IP
Hi,
i have the following Problem: We have located a Checkpoint Firewall behind a F5 BIG-IP (v11.3) Appliance and we need to terminate VPN Traffic on the Checkpoint. I am currently not able to figure out how to forward extern IPSec Traffic through the F5 to an internal IP, belonging to the Checkpoint. I think it should work with an Forwarding virtual server, but as far as is understand, the Checkpoint would need an extern IP in this case, which is not possible.
So i need the F5 to have all extern Ips and forwarding IPSec Traffic on one extern IP to an internal server.
Could anyone tell me the right configuration for this case?
Thanks in advance!
Ralf
4 Replies
- boneyard
MVP
with a fastL4 virtual server you send traffic to a a specific pool, if you put the checkpoint as poolmember in that pool it might work. not really sure how well the F5 will handle IPSec traffic. with just all protocols it might go fine.
mr_evil_116524I might be able to give you some ideas as I have a lot trouble just to setup IPSEC tunnel, I take you you already have IPSEC tunnel between your site and external system? and you must have traffic selector which mean you know you are mapping your internal IP to remote internal once you do that you will need to create forward VIP with source remote internal IP to destination your internal IP. that should work.
BUT one thing to remember if you checkpoint it ONLY one server please do not make a mistake to put that IP as the destination IP, you must just that server as a pool. If you do not do this say for some reason your checkpoint server needed to be restarted and it does come backup it WILL NOT be able to assign the same IP as it is now used by F5. We had the same issue last week man it was a pain to figure it out but eventually I did.
I hope this helps.
Ralf_Schubert_1I'm not sure if i understand you right, do you mean the following? Let's assume the F5 has the public IP x.x.x.236 on which IPSec traffic should be accepted and forwarded. It also has the internal IP y.y.y.2. F5 now should forward the IPSec Traffic coming on x.x.x.236 to the internal checkpoint server at y.y.y.1. So you mean i create a virtual server with Forwarding (IP) mode, source x.x.x.236 and destination y.y.y.1? Are you sure that works? Or did i understand you totally wrong? Thanks for your help- mr_evil_116524Hello, may be we are talking about two things, when you say IPSEC did you create a IPSEC tunnel between your F5 and remote site? I am talking about peer IPs. In there you should have specified local and remote internal IPs? Please confirm, also see the following link : http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_tmos_implementations_11_0_0/5.html
