Forum Discussion

Etienne_Laval_3's avatar
Etienne_Laval_3
Icon for Nimbostratus rankNimbostratus
Apr 27, 2018

ipsec

Hello everybody,

 

I have an architecture with 24 IPSEC servers behind a BigIP 2000 cluster.

 

Customers are mobile phones configured with a public address as an IPSEC termination.

 

Each public address corresponds to a VS to which is attached a pool of 2 servers in priority group (a master and a slave).

 

In the 24 servers, each is master of a VS and slave of another VS, the distribution of customers is by region.

 

In order to have a more equitable distribution of customers (especially during the loss of a server), I try to set up a single VS with a pool containing all of my servers.

 

Is it possible to do that with LTM?

 

I can not find a solution, how to make persistence for such a flow with dynamic client addresses? In addition, the VPN connection is established in 2 times with UDP 4500 and UDP 500, how to make the second stream sent to the same server?

 

Thank you in advance for your help.

 

application delivery
BIG-IP
LTM

1 Reply

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Apr 28, 2018

    from what i understand you want to load balance IPsec through the BIG-IP

     

    first of all make sure you disable the F5 looking at the ipsec traffic, else it will fail

     

    https://support.f5.com/csp/article/K14169

     

    it suggests L4 which i would keep on any service, so you don't have to worry about difference between 4500 and 500 and ESP protocol

     

    for persistence you need to look at the options

     

    if IP source based persistence isnt possible due to change client IP you need to find something else.

     

    it might be you just get different tunnels every time

     

    https://devcentral.f5.com/questions/load-balancing-vpn-connection