Forum Discussion

Sito79's avatar
Sito79
Icon for Nimbostratus rankNimbostratus
Jan 15, 2009

VNP Configuration Behind Link Controller

Hi,

 

Just wondering , has anyone done a VPN termination which terminates on a firewall behind an F5 link Controller. I think that my configuration is Ok but the IKE tunnel is always in MM_WAIT_MSG2 state.

 

I try this configuration:

 

 

 

 

For VPN incoming traffic:

 

I have created a VS with port 0 and asocciate with the firewall_internal_pool selecting performance L4 and I have selected all protocols: VS_ENTRADA

 

I have created a VS with port 500 and asocciate with the firewall_internal_pool select performance L4 and I have selected all protocol: VS_ENTRADA_500

 

 

for VPN outgoing traffic

 

 

I have created a vpn_gateway_pool with the internal IP of the router.

 

I have created a VS_SALIDA_500 port 500 and I have associated with the vpn_gateway_pool selecting permance L4 and all protocols.

 

And finally I have created a snat_pool with VPN public IP addresses as snat pool members aplied to the VS_SALIDA_500.

 

3 Replies

  • Your configuration should work as long as the VPN supports NAT traversal. I personally have never seen one that handles this properly, but I'm told they exist. I've always had to allow IP forwarding directly to the VPN address so that it isn't NAT'ed, but then your VPN connection is pinned on one link and won't fail over to the other one.

     

     

    Denny
  • Sito79's avatar
    Sito79
    Icon for Nimbostratus rankNimbostratus
    Yes,my configuration supports that kind of Nat..I don´t know how to solve this problem.

     

    Don´t you think than it could be a problem on the client side (ip address, firewall rule and nat etc)?
  • port usage for nat is tricky based on many factors, including whether your firewall is the initiator or the responder, or possible to be both. You may need a default forwarder 0.0.0.0:0 outbound from your firewall connected vlan unless you know all your peer endpoints, but you might get by with 500/4500 udp ports enabled in both directions. I doubt this will cover every scenario, however, because whereas a stateful firewall will build the chain to return a packet sourced to your allowed destination (in this case, 500/4500), the LTM will not.