Manual Chapter : BIG-IP Solutions Guide v4.1: Load Balancing VPNs

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
Manual Chapter


7

Load Balancing VPNs



Working with VPN load balancing

You can use the BIG-IP to load balance virtual private network (VPN) gateways used to connect two private networks. Figure 7.1 shows a configuration of this type.

Figure 7.1 An example of a VPN load balancing configuration

Configuring VPN load balancing

There are three tasks required to configure VPN load balancing on the BIG-IP: create a load balancing pool, create two virtual servers, and enable ports 80 and 443.

The following tasks only show how to configure the BIG-IP on network 192.168.13.0 (BIG-IP 2). The configuration for BIG-IP 1 on 192.168.11.0 is the same, only with different network numbers.

  • Create a load balancing pool
    Create a pool that load balances the inside addresses of the three VPNs.
  • Create two virtual servers
    Create virtual servers to handle inbound and outbound traffic for the VPNs.
  • Enable service 80 and service 443
    Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically allows access to the services.

Defining the pools

First, create two pools, a pool that load balances the content servers and a pool that load balances the VPNs.

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    For the example in Figure 7.1:

    Create pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, <vpn3>.

    To define a pool from the command line

    Define the pool vpn_insides for the VPNs:

    b pool vpn_insides { \

    member <vpn1>:* \

    member <vpn2>:* \

    member <vpn3>:* }

    Replace <vpn1>, <vpn2>, and <vpn3> with the internal IP address of the respective router. In this example the routers are service checked on port *.

Defining the virtual servers

After you define the pools for the content servers and inside IP addresses of the VPNs, define the virtual servers.

To define the virtual servers using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    Configuration notes

    For the example in Figure 7.1:

    For the inbound connections, create the network virtual server 192.168.13.0:0. Specify the netmask 255.255.255.0 and turn forwarding on.

    For the outbound connections, create the network virtual server 192.168.11.0:0. specify the netmask 255.255.255.0, use pool vpn_insides, and disable address translation.

    To define the virtual servers from the command line

    First, create a forwarding network virtual server for inbound VPN traffic:

    b virtual 192.168.13.0:0 netmask 255.255.255.0 forward

    Then, create a virtual server to load balance traffic outbound to the remote machines through VPNs:

    b virtual 192.168.11.0:0 netmask 255.255.255.0 use pool vpn_insides

    b virtual 192.168.11.0:0 translate addr disable

    (This addresses nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that represent the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 7.1.)

Enabling service 80 and service 443

This step is only required if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.

b service 80 443 tcp enable

Using VPN and router load balancing

You can use the transparent device load balancing feature in the BIG-IP to connect to private networks, as well as to load balance Internet connections through multiple routers. Figure 7.2 is an example of this network configuration.

Configuring virtual servers for VPN and router load balancing

The following topics deal with only the VPN configuration for the BIG-IP on network 192.168.13.100 (BIG-IP 2). The configuration for 192.168.11.100 is done the same way, but you use different network numbers.

Figure 7.2 An example of a VPN and multiple router load balancing configuration

Configuring VPN and router load balancing

First, complete the following tasks on the BIG-IP:

  • Create load balancing pools
    Create load balancing pools for the content servers, the routers, and the three VPNs.
  • Create four virtual servers
    Create four virtual servers. The first virtual server load balances inbound Internet traffic. The second virtual server load balances outbound Internet traffic. The third virtual server forwards inbound VPN connections. The fourth virtual server load balances outbound VPN connections.
  • Configure network address translation
    Configure NATs or SNAT automap for outbound traffic so that replies will arrive though the same VPN the request went out on.
  • Enable service 80 and service 443
    Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically opens the ports.

Defining the pools for VPN load balancing

Next, create three pools. Create one pool that load balances the content servers, one that load balances the routers, and one that load balances the VPNs. For example:

  • Create a server pool named server_pool. This pool contains the following members: <server1> and <server2>
  • Create a pool named router_insides with the following members: <router1> and <router2>
  • Create a pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, and <vpn3>

    To create the pools using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    Create a server pool named server_pool. This pool contains the following members: <server1> and <server2>.

    Create a pool named router_insides with the following members: <router1> and <router2>.

    Create a pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, and <vpn3>.

    To define a pool from the command line

    First, define the pool server_pool for the content servers:

    b pool server_pool { \

    member <server1>:80 \

    member <server2>:80 \

    You will replace <server1>, <server2>, and <server3> with the IP address of each respective server.

    Next, define the pool router_insides for the internal addresses of the routers:

    b pool router_insides { \

    member <router1>:0 \

    member <router2>:0 }

    Replace <router1> and <router2> with the internal IP address of each respective router.

    Finally, define the pool vpn_insides for the internal addresses of the VPN routers:

    b pool vpn_insides { \

    member <vpn1>:0 \

    member <vpn2>:0 \

    member <vpn3>:0 }

    Replace <vpn1>, <vpn2>, and <vpn3> with the external IP address of each respective router.

Defining the virtual servers for VPN and router load balancing

After you define the pools for the inside IP addresses of the routers, you need to define the following virtual servers for the BIG-IP 2. For example:

  • For the inbound Internet connection, configure the virtual server 172.100.12.20:80 using server_pool.
  • For the outbound Internet connection, configure the wildcard virtual server 0.0.0.0:0 using router_insides.
  • For the inbound VPN connections, create the forwarding network virtual server 192.168.13.0:0. Turn forwarding on.
  • For the outbound VPN connections, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable port and address translation.

    To define the virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    Configuration notes

    For the inbound Internet connection, configure the virtual server 172.100.12.20:80 using server_pool.

    For the outbound Internet connection, configure the wildcard virtual server 0.0.0.0:0 using router_insides.

    For the inbound VPN connections, create the forwarding network virtual server 192.168.13.0:0. Turn forwarding on.

    For the outbound VPN connections, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable port and address translation.

    To define virtual servers from the command line

    First, configure the BIG-IP to handle inbound traffic from the remote network.

    Create the virtual server for BIG-IP 2 with the following commands:

    b virtual 192.168.13.0:0 forward

    Then, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the VPN routers (vpn_insides). Use the following commands to create virtual servers for connecting to the machines on the remote network:

    b virtual 192.168.11.0:0 use pool vpn_insides

    b virtual 192.168.11.0:0 translate addr disable

    This addresses the nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that correspond to the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 7.2, on page 7-5.

    Then, create a virtual server to handle inbound traffic:

    b virtual 172.100.12.20:80 use pool server_pool

    Finally, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the routers (router_insides). Use the following command to create the virtual server:

    b virtual 0.0.0.0:0 use pool router_insides

Configuring network address translation on routers

For outbound traffic you must now set up address translation so that replies will arrive through the same router the request went out on. Specifically, you must either configure your routers so that they perform network address translation (NAT), or you must configure SNAT automap.

For instructions on NAT configuration, refer to your router documentation.

To perform the SNAT automap you must perform three steps:

  • Assign IP-specific self addresses to the external VLAN corresponding the IP networks of the two routers
  • Enable SNAT automap for each of the self addresses.
  • Enable SNAT automap for the internal VLAN.

    To create self addresses and enable SNAT automap to the router inside interfaces using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Self IP Addresses tab.
    The Self IP Addresses screen opens.
  3. Click the Add button.
    The Add Self IP Address screen opens.
  4. For each router, add a new self IP address with the inside IP network address of the router and SNAT Automap enabled.
  5. On the Network screen, click the VLANs tab.
    The VLANs screen opens.
  6. Click the internal VLAN.
    The VLAN Internal screen opens.
  7. In the VLAN Internal screen, click a check in the SNAT Automap box.
    For additional information about adding a VLAN, click the Help button.

    To create VLAN mappings with SNAT auto mapping to the router inside interfaces from the command line

    Create IP-specific self addresses on the third VLAN with these commands:

    b self <ip_addr1> vlan <vlan_name> snat automap enable

    b self <ip_addr2> vlan vlan_name> snat automap enable

    Enable snat automap on the internal VLAN using this command:

    b vlan <int_vlan> snat automap enable

    For example:

    b self 11.11.11.5 vlan external snat automap enable

    b self 11.11.12.5 vlan external snat automap enabl

    b vlan internal snat automap enable

Enabling service 80 and service 443

This step is required only if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.

b service 80 443 tcp enable

Additional configuration options

Whenever a BIG-IP is configured, you have a number of options:

  • You have the option in all configurations to configure a BIG-IP redundant system for fail-over. Refer to Chapter 5, Configuring a Redundant System, in the BIG-IP Reference Guide.
  • All configurations have health monitoring options. Refer to Health Monitors in Chapter 3, Configuring the High-Level Network, in the BIG-IP Reference Guide.
  • When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the Chapter 3, Configuring the High-Level Network, in the BIG-IP Reference Guide.