VPN SSL traffic not being forwarded when using a not directly attached network as VPN Pool

Question

Hi, I have a F5 setup in AWS to use for Client VPN.
I had it working fine but then found out that the ACLs are not being applied because I bypass the VS which is used for the VPN Clients.&nbsp;
Here is the setup.&nbsp;
F5 with public interface and private interface.
VS (standard) configured on the public IP so users can login to the VPN. That is working fine.
Another VS configured for redirecting http to https. Also working fine.&nbsp;
We are using full tunnel.
I have a Subnet as VPN Pool configured that is not attached to the F5. We route the subnet to the private interface.
No SNAT is used cause we want to have full transparency on the clients.&nbsp;
When I use SNAT it is working fine. Also when I use a VPN Pool of addresses which are in the same Subnet as the selfIp from the private interface it is working fine.
When I use the VPN Pool from the network that is not directly attached it stops working.
What I did to work around it was setting up another VS (forwarding IP) with our VPN Pool as source and 0.0.0.0/0 as destination.
With this set up it worked fine but I then found out that the ACLs are not applied anymore.&nbsp;
Any idea how I can have all three requirements? No SNAT, not directly attached Network as VPN Pool and ACLs applied to the VPN users?&nbsp;
It looks like it is an internal routing issue but I have no idea how to tell the F5 where to send traffic from the VPN Pool to.&nbsp;
Hope it is somehow clear how the setup looks like.&nbsp;
Thanks.&nbsp;

rafaelbn · Answer

Hello TD!&nbsp;
Once the client is connected to the F5 and gain an IP from the pool, it will follow the BIG-IP routing table. Do the BIG-IP have routes to reach your internal resources on yout AWS VPC?&nbsp;
And do the routing table of your AWS VPC have returning routes (of the IP pool of your clients) to go back to the internal self/float of the BIG-IP?&nbsp;
Cheers! Rafael&nbsp;

td · Answer

Hi rafaelbn,
here is some more info.&nbsp;
VPN Pool subnet: 10.2.0.0/24
Public subnet in VPC: 10.237.243.0/26
Private subnet in VPC: 10.237.240.0/24
Private interface F5 selfIP: 10.237.240.209
Public Interface F5 VS: 10.237.243.12
Fortigate FW: 10.237.240.130&nbsp;
0.0.0.0/0 --&gt; 10.237.240.130 (fortigate firewall for scanning internet traffic)10.0.0.0/8 --&gt; 10.237.240.1 (def. gw for private subnet in VPC)
I also tried only a default route and leaving out the fortigate but that didn't help. The fortigate is also only for scanning the internet facing traffic (webscanning).&nbsp;
I also have a route in the routing tables of the VPC that is pointing to the private interface of the F5 for the VPN Pool network (the selfIP interface of the F5).&nbsp;
On the fortigate there are three routes
0.0.0.0/0 --&gt; 10.237.243.1
10.2.0.0/24 --&gt; 10.237.240.209
10.0.0.0/8 --&gt; 10.237.240.1 (for mm access)&nbsp;
Here are pictures of the forwarding VS I had configured and with which routing works.
I had the same configured for UDP.
&nbsp;
&nbsp;

rafaelbn · Answer

Hello TD!&nbsp;
Your network diagram seems right, but I think you do NOT need any of those virtual servers to forward traffic. I recommend you remove (do not just disable, remove/delete) and test again and see if that works as you intend to.&nbsp;
If it still don't work, I suggest you open a ticket with F5.&nbsp;
Cheers! Rafael&nbsp;

td · Answer

That did the trick. :-D
I deleted the VS and now it is working. I guess I had a routing issue in the beginning and accidentally solved this after I created the forwarding VS.&nbsp;
But why didn't disable help?&nbsp;
Thanks again for your help.&nbsp;

rafaelbn · Answer

Disabling a VS still matches the traffic (which is a bummer, I know). You have to delete it to make sure!&nbsp;
Cheers! Rafael&nbsp;

Forum Discussion

VPN SSL traffic not being forwarded when using a not directly attached network as VPN Pool

8 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

Run Advanced Containers like OPSWAT Content Scrubbing Directly On F5 Distributed Cloud Nodes

Can the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?

upgrade directly from os version 14.1. to 17.1.0