Forum Discussion

cawong23_136311's avatar
cawong23_136311
Icon for Altostratus rankAltostratus
Feb 24, 2017

Site to site ipsec vpn pass through Link Controller

Hi all,

 

Recently I need to configure LC to pass through site to site ipsec vpn traffic, I have checked f5 and devcentral resources but there are no detailed configuration or manual talking about it.

 

I tried to set a VS and choose IP forwarding with SNAT pool, vpn devices NAT traversal is enabled. But it does not work.

 

Could you guys having any idea about it? What I should do on the LC?

 

Thanks a lot.

 

6 Replies

  • Can you provide more information about the setup? Do you need to NAT the IPSEC device that is behind the LC? Can both sides initiate the VPN? Does the LC uses multiple links to reach the destination?

     

  • Hi Leonardo,

     

    I recently have met the similar situation, here is the info: user -- checkpoint -- LC-- Internet -- checkpoint -- Other site users I have created the VS with destination VPN public IP、pool CP private IP with all protocol; VS with outbound 0.0.0.0、pool pool_gateway with all protocol. Through wireshark, phase I has been established, however there were no phase II packets. From CP, we always see the error that the pre-share-key mismatch even the key is so the same. CP TAC suggest that we deleted all VS and just created a NAT on NAT list in LC, that can work. However we just want to use VS to narrow down the public IP with related port in order to avoid attack, so any suggestion? thx in advance

     

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      Have you tried to use destination address persistence? This is to make sure traffic go out via the same ISP when doing the VPN.

       

    • tira_li_302756's avatar
      tira_li_302756
      Icon for Nimbostratus rankNimbostratus

      Thx for your reply!

       

      Could you list the detail VS config for reference? As after setting up the inbound and outbound VS, sometime ICMP packet will be dropped by ping tool. If we just created a NAT on NAT list, it seems that it is stable.

       

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      SNAT default setting is to allow only TCP and UDP. Check the setting in System -> Configuration -> Local Traffic -> SNAT Packet Forwarding.

       

  • Hi,

    when I deploy a LC, I use this irule for outgoing VS (this is the only one except the one for FTP)

    when RULE_INIT {
        unset static::SnatPolicy
        array set static::SnatPolicy {
            "10.1.1.1" {"gateway_pool_isp1" "1.1.1.1" "1.1.2.1"}
            "10.1.1.2" {"gateway_pool_isp2" "1.1.1.2" "1.1.2.2"}
            "10.1.1.3" {"default_gateway_pool" "1.1.1.3" "1.1.2.3"}
            "default" {"default_gateway_pool" "1.1.1.4" "1.1.2.4"}
        }
         Format: 
         "source IP Address" {"gateway pool" "NAT when ISP1" "NAT when ISP2"}
    }
    
    when CLIENT_ACCEPTED {
        if { [info exists static::SnatPolicy([IP::client_addr])]}{
            set clientip [IP::client_addr]
        } else {
            set clientip "default"
        }
        pool [lindex $static::SnatPolicy($clientip) 0]
    }
    
    when LB_SELECTED {
        if { [IP::addr [LB::server addr]/24 equals 1.1.1.0]} {
            set link 1
        } else {
            set link 2
        }
        snat [lindex $static::SnatPolicy($clientip) $link]
    }
    

    The VS is performance Layer4 with default gateway_pool and with any protocols

    I also create one pool per ISP:

    gateway_pool_isp1 and gateway_pool_isp2 with both gateway as member but with priority group activation