Glenn_32974
Aug 04, 2010Nimbostratus
Outbound IPSEC traffic via Link Controller
Im having an Issue where Im trying to establish a VPN site-2-site connection through a Link Controller but outbound traffic is being SNAT'ed in the way out so my VPN peer at the other end of the tunnel is not accepting the package
Plese see tcpdump statistics below:
[root@venom:Active] config tcpdump -i VLAN-FW src host 201.234.67.35 and dst host 190.67.7.228 and port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on VLAN-FW, link-type EN10MB (Ethernet), capture size 108 bytes
14:34:17.894281 IP 201.234.67-35.static.impsat.com.co.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident
14:34:22.911693 IP 201.234.67-35.static.impsat.com.co.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident
[root@venom:Active] config tcpdump -i VLAN-GLOBAL src host 201.234.186.155 and dst host 190.67.7.228 and port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on VLAN-GLOBAL, link-type EN10MB (Ethernet), capture size 108 bytes
14:34:17.894303 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident
14:34:22.911710 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident
14:34:32.926833 IP 201.234.186.155.isakmp > 190.67.7.228.isakmp: isakmp: phase 1 I ident
LTM VS Config
ltm virtual outbound-virtual-server {
destination any:any
mask any
persist {
source_addr {
default yes
}
}
pool Default-gateway-pool
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
VLAN-FW
}
vlans-enabled
Pool Config
ltm pool Default-gateway-pool {
allow-nat no
allow-snat no
load-balancing-mode dynamic-ratio-node
members {
201.234.186.129:any {
session monitor-enabled
}
}
monitor gateway_icmp
}
Any ideas on how to disable Source address Translation so packet goes out the Link Controller with source ip 201.234.67.35 instead 201.234.186.155
thanks in advanced!