cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SSL-VPN - Route all traffic via Default Gateway

Mark_van_D
Cirrostratus
Cirrostratus

So another routing question in regards to SSL-VPN.

 

BIGIP has multiple interfaces.

External - 10.0.0.250 - 10.0.0.0/24

Internal - 192.168.10.250 - 192.168.10.0/24 - contains VSs and Nodes (Nodes have 192.168.10.1 - Firewall as Default Gateway)

Default Route is 10.0.0.1 (Firewall) Firewall has route for 172.16.0.0/24 to 10.0.0.250.

 

When connecting using SSL-VPN - IP Lease from 172.16.0.0/24, with SNAT enabled can communicate with everything. However have the requirement to move to a Non-SNAT setup.

 

With Non-SNAT am able to connect to most things except for the Nodes that have the DGW set to 192.168.10.1, which is understandable.

 

I've tried using NEXTHOP and a Forwarding VS to try and direct all traffic from 172.16.0.0/24 to use DGW 10.0.0.1, but not had any luck.

 

How can I direct all IP Lease Pool clients to use 10.0.0.1 as the gateway?

 

 

3 REPLIES 3

Dave_W
F5 Employee
F5 Employee

Hello, it should use the DG of the APM/LTM. What makes you think it is not? Might be a good idea to run a pcap and see what is happening with the traffic; you can it in on 0.0 or the connectivity profile itself:

 

https://support.f5.com/csp/article/K411

Hi Dave,

 

It does use the DG for most traffic, but not for the network that it has a direct connection to. Which is fine but that network also has servers on it that don't have the F5 as DG.

I have looked at using Route Domain as well but that brought it's own issues along.

Kin
F5 Employee
F5 Employee

Would a layered VS help? Though it may introduce other challenges in your environment.

https://support.f5.com/csp/article/K03113285

https://support.f5.com/csp/article/K74534456