Forum Discussion

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Nov 21, 2015

Configure F5 for IPsec VPN as pass through

Hello,

 

We wish to implement the IPsec VPN via F5.

 

The traffic flow as, Client(windows mobile) --> Internet --> Firewall --> LTM(one armed mode, SNAT) --> Microsoft TMG.

 

When we try to configure as standard virtual server(on port UDP 500 & 4500), source IP based stickiness & with SNAT, the client are able to establish tunnel and access their application.

 

But frequently, they are getting error message as "VPN server is unavailable"

 

If the client establish IPSec tunnel directly to TMG, we are seeing the communication is happening with ESP(UDP 50) and they are not getting error?

 

Kindly let me know the standard configuration for IPSec VPN pass through configuration also IPSec VPN with standard virtual server won't work or ?

 

Thanks in advance.

 

Regards, Kannan.

 

application delivery
ipsec
LTM

4 Replies

Sort By
  • zeiss_63263's avatar
    zeiss_63263
    Historic F5 Account
    Jul 26, 2016

    As a postscript to this thread: the ipsec.lookupspi is only of relevance when the data flow happens as ESP in IP and not ESP in UDP port 4500 (in IP). When NAT is detected, the IPsec peers should switch to UDP port 4500 and the ESP once the tunnel is established will be encapsulated in UDP.

     

    In such a scenario ipsec.lookupspi is of no relevance because the connection flow characteristics are set up based on the IP/UDP data.

     

    In the scenario that Kannan has proposed, SNAT is supported on the Virtual Server (make sure it is a forwarding Virtual Server), however that also guarantees that the float to UDP port 4500 will happen and so ipsec.lookupspi is redundant in this scenario.