F5 Not Functioning With Pulse Secure
Hi All, We have a new set-up of an F5 with two VIPS - one performance layer 4 for https (SSL authentication to the pulse secure appliance), ad another standard VIP on UDP/4500 (for IPSec data traffic). Both Profiles have a source affinity persistence profile mapped to them which has option "Match Across Virtual Server" checked. This is to allow Both VIPS to act as one for Data Traffic. The F5 has also two Gateways configured as self IP's and their respective floating IP's - this is so the pulse uses the F5 as its gateway for internal and external traffic. The routing on the F5 points internal traffic to a default route to a switch in the DMZ which knows the route to the data center - and was being used to route traffic in the old set-up too. What we found with the new set-up was that traffic going to the external port worked fine, but traffic to the internal port on the pulse (routed via the F5 internal gateway) was not working at all. This interface should use its own IP address and initiate a request to Authentication servers, but did look like it was - resulting in users not being able to log into their pule clients (as authentication was failing). In the old set-up the gateways were on two separate switches, and this worked even after we reverted back - we saw users able to connect and log into pulse - where as in the new set-up they couldn't go past the prompt. We believe the issue is only with internal traffic, as external traffic looks fine. We also believe it could be the F5 potentially stopping the traffic from passing but not sure why. Could the profile be changing something in the packet header? Could both VIPs also need to be standard VIPS for this to work ? Has anyone come across an issue like this before ? Best Regards, Sabeel
Configure F5 for IPsec VPN as pass through
Hello, We wish to implement the IPsec VPN via F5. The traffic flow as, Client(windows mobile) --> Internet --> Firewall --> LTM(one armed mode, SNAT) --> Microsoft TMG. When we try to configure as standard virtual server(on port UDP 500 & 4500), source IP based stickiness & with SNAT, the client are able to establish tunnel and access their application. But frequently, they are getting error message as "VPN server is unavailable" If the client establish IPSec tunnel directly to TMG, we are seeing the communication is happening with ESP(UDP 50) and they are not getting error? Kindly let me know the standard configuration for IPSec VPN pass through configuration also IPSec VPN with standard virtual server won't work or ? Thanks in advance. Regards, Kannan.IPSec VPN - Must the tunnel local address be the self/floating IP address?
Hello everyone, Regrading IPSec VPN (tunnel mode) setup, I have no idea whether the tunnel local address can be different than the self/floating IP address (another IP address in the same range with self/floating IP address) or not, but I noticed this when I was working on a F5 BIG-IP system. For example, the self and floating IP addresses are a.b.c.200/25 and a.b.c.202/25, respectively, but the tunnel local address is a.b.c.199/25. However, when I checked the system configuration, I could not find the IP a.b.c.199/25 assigned or associated to any interfaces/VLANs, but only ltm nat-translation, snatpool (for IPSec local encryption domain - private network) and a few rules for ESP/IKE packets. Additionally, I could ping this IP address from the BIG-IP system.Establish IPSec VPN with F5 Big-IP and Fortigate 30C
Our primary requirement is to establish IPSec VPN with our F5 Big-IP 5050 on our DataCenter to Fortigate 30C on our branches across the globe. Question 1. We haven't successfully done the configuration with both using Static IP. What is the right configuration? 2. Is F5 capable on establishing IPSec VPN to Fortigate 30C's via Dynamic IP? 3. Is F5 capable on establishing IPSec VPN to Fortigate 30C's via Dynamic DNS? 4. What are other method we can establish VPN from F5 to Fortigate 30C? Help.IPSec on F5-Cisco
Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/19.html It says that the Virtual Server will have 0.0.0.0 IP address, and listening on All ports. My question is: If I configure that on the external VLAN of my F5 where I have more VSs on that VLAN, Will not that "All-the-IPs" [0.0.0.0] gobble up any traffic coming in to the F5 from the front end? What about replies to ARP? will it not mess up any ARP request, replying with ARP saying the F5 is what other server means to be?
Explicit Forward Web Proxy, forward proxied traffic over IPSEC terminated on F5 to remote device.
I have succesfully set up an IPsec tunnel between the F5 and remote device. I have HTTPS server configured on the remote end and on a client I able to connect to the HTTPS server when using the F5 internal interface as the default gateway on the client. I have succesfully set up the explicit forward proxy and when I configure the client to point to the virtual server I am able to proxy web traffic out to the Internet. (Bypassing the IPsec tunnel and going to the Internet) However I am not able to force the proxied traffic over the IPSEC tunnel succesfully to reach my HTTPS server on the remote end.
