Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNAT irule doesn't match for a FastL4 VS for an IPSEC VPN

Nicolas_ROMERO_
Nimbostratus
Nimbostratus

Hi everybody,

 

I have a problem to bring up an IPSEC Tunnel between 2 firewall with one of them behind an F5 BIGIP.

 

What I did :

 

  • Create a VS FastL4 (Source Address 0.0.0.0/0, Destination Address my_public_ip_used_for_the_vpn, Service port All_Ports, Protocol All, Source Address Translation NONE).
  • For the SNAT I tried to use a SNAT POOL
  • For the SNAT I tried to use an iRule :

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.199.0.1/32] } { snat X.X.X.X.85 nexthop X.X.X.X.1 log local0. " -- SNAT VPN IPSEC S2S -- [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" } }

 

  • For the SNAT I tried to use GUI : 0691T000006Apk4QAC.png

In all case the F5 doesn't take my SNAT rule and the traffic take another public IP. On the peer device (which is not behind an F5) I have a log "Asymmetric Routing". It's normal because he tries to establish the tunnel with an IP and there is another IP that respond to him.

 

On the F5 I can see it on the logs

 

16:30:36.409542 IP Y.Y.Y.Y.isakmp > X.X.X**.85**.isakmp: isakmp: phase 1 I ident 16:30:51.939720 IP 10.199.0.1.isakmp > Y.Y.Y.Y.isakmp: isakmp: phase 1 I ident 16:30:51.939732 IP X.X.X**.251**.20251 > Y.Y.Y.Y.isakmp: isakmp: phase 1 ? ident

The peer device seems to successfully contact my firewall on Y.Y.Y.85 but the F5 respond with the Y.Y.Y.251

 

Is there anything that I forgot in the configuration?

 

0 REPLIES 0