Virutal Server for VPN

Did you enable all protocols on that virtual server? Traditional IPSec uses udp/500, but also protocol 50 (ESP), which would be discarded if you have only allowed udp.

hello;

 

i just enable a UDP/500.

 

but how can i enable also the protocole ESP on this VS? is it possible ?

 

ESP is it a TCP 50?

 

 

thanks for your help

 

ESP is not a tcp/udp protocol. In IPv4 protocol field, tcp is 6, udp is 17, and esp is 50. You will need to enable all protocols for this to work. I have attached a snapshot of the GUI configuration

we already have a VS Wildcard Forwarding IP (see the attached capture). this VS load balance the internal traffic to internet using two ISP.

 

 

how can i do to pass a VPN traffic to only one ISP ?

 

is it possible to create a VS Standard, 0.0.0.0/0 ? but how can i specifie that this VS should passe only the VPN trafic ?

 

 

can i create a VS ForwardingIP, with as destination the IP of the gateway Peer of VPN ?

 

 

please tell me what is the best solution to resolve my issue

 

thank you

 

I would do this by applying a virtual 0.0.0.0/0 against ONLY the internal vlan, with a rule applied (below). I am not sure I understand your requirements as a couple of them seem conflicting. Here's a start for you, and If I am misunderstanding, please post back. Also, if you use AH or NAT-T at all, you'll also need to allow for protocol 51 and udp/4500 (respectively)

when CLIENT_ACCEPTED {
  if { [IP::protocol] == 50 } {
     pool isp-gateways member ISP1
  } elseif { [UDP::local_port] == 500 } {
     pool isp-gateways member ISP1
  } else {
      pool isp-gateways
  }
}

Of course, you'd need to make sure you have a forwarder for your internal vlan as well applied ONLY to the public-facing vlan.

i will axplain you my situation.

 

First we had one ISP, and we have also some internal server that need to be Snated to IPs from ISP01.

 

we created a VS Wildcard 0.0.0.0/0, all protocols; and we apply this Irule :

 

 

when LB_SELECTED {

 

if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {

 

snat 196.1.1.1

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {

 

snat 196.1.1.2

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {

 

snat 196.1.1.3

 

 

} else {

 

snat automap

 

}}

 

 

Now we integrated a second link ISP02. and we would like to load balande traffic in the two ISP. But not for VPN and for the internal servers that must be Snated; for these two cases, the trafic must go through ISP01.

 

 

we think that by creating another VS dedicated for VPN traffic; we can resolve this issue. so we can keep the VS wildcard forwarding IP with the IRULE as below:

 

 

 

when LB_SELECTED {

 

if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {

 

snat 196.1.1.1

 

pool pool_ISP01

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {

 

snat 196.1.1.2

 

pool pool_ISP01

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {

 

snat 196.1.1.3

 

pool pool_ISP01

 

 

} else {

 

snat automap

 

pool pool_gateway_ISPs

 

}}

 

 

 

but my problem now is what kind of VS for VPN trafic must i create? and how to configure it to support all trafic of VPN ?

 

 

 

i hope that you understund my case and i thank you in advance to help me.