cancel
Showing results for 
Search instead for 
Did you mean: 

VPN IPsec through F5 LTM

Jorge_Manya
Altocumulus
Altocumulus

Hello folks:

 

I need your kind help for a design considering the following scenario:

 

Nowadays, I have a firewall that is managing a public segment 200.200.200.0/24 and it is using the 200.200.200.10 to perform two actions: 1) to establish VPN IPsec tunnels towards many other IPsec peers in the internet, and 2) to take out users navigation traffic from the internal network.

 

I need to displace the firewall so the LTM can manage the public segment. How could achieve this? I need to use the LTM to allow the users navigation and to let pass (passthrough) the VPN IPsec traffic. For the first thing, I think I need a SNAT with 200.200.200.10 as the translation address, but I am not sure about how to treat the VPN IPsec traffic. Do I need special virtual servers to achieve that? Do you think I will have troubles or conflicts because I only have one IP to do both things?

 

Thanks folks..!

 

Regards

 

Jorge

1 REPLY 1

Andrew-F5
F5 Employee
F5 Employee

Jorge,

 

You should be able to accomplish this with an IP forwarding or FastL4 virtual server but be sure to follow K14169 to disable the necessary DB variable.

 

K7595: Overview of IP forwarding virtual servers

K14169: Passing IPsec ESP traffic through an IP forwarding virtual server

 

Best,

Andrew