Manual Chapter : BIG-IP Solutions Guide v4.2: Load Balancing IPSEC Traffic

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
Manual Chapter


8

Load Balancing IPSEC Traffic



Configuring load balancing IPSEC traffic across VPN gateways

The previous chapter shows how to load balance across three VPN gateways. The IPSEC protocol (Internet Protocol Security) enables you to load balance between gateways as well. Figure 8.1 shows inbound IPSEC traffic being load balanced to one of three destination VPN gateways.

Figure 8.1 VPN load balancing between VPN gateways

In this configuration, address translation is on, and IPSEC is in tunnel mode with ESP (Encapsulation Security Payload) specified. The hop shown by the blue arrow represents the IPSEC part of the transmission. A packet originating from Client4 with Client6 as its destination is encapsulated by the VPN gateway (VPN4) serving the client and traverses the Internet in this secure form. The BIG-IP then load balances the packet to one of three destination gateways: VPN1, VPN2, or VPN3. The VPN to which it is load balanced then becomes the established gateway, or tunnel, for packets from VPN4. Traffic from Client1, a separate VPN connection, would be load balanced to a different destination VPN.

For this configuration to work, IPSEC requires certain special settings on the clients and servers, and on the BIG-IP:

  • On clients and servers, IPSEC must be configured in tunnel mode with ESP.
  • You must enable Any IP mode for the virtual servers on the BIG-IP.
  • Enable address translation on the BIG-IP.
  • Enable UDP on the BIG-IP to support internet key exchange (IKE) traffic.
  • Enable persistence across services on the BIG-IP.

Configuring IPSEC load balancing

First, configure your servers and clients for IPSEC tunnel mode with ESP. Refer to the documentation provided with the server or client. Be sure to use the same security association for all clients.

Next, complete the following tasks on the BIG-IP:

  • Create two load balancing pools
    Create two load balancing pools for the VPN destination gateways, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) for Any IP mode.
  • Create two virtual servers
    Create two virtual servers for referencing the two pools, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) for Any IP (IPSEC) traffic.
  • Enable UDP
    Enable UDP for internet key exchange (IKE) traffic.
  • Enable persistence
    Enable persistence across services.

Defining the pools

To configure IPSEC load balancing, you first define one pool that load balances the VPN destination gateways with a wildcard port, and one pool that load balances the VPN destination gateways handling service 500 traffic.

To create the pools using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    Create a VPN pool named vpn_anyip. This pool contains the outside addresses of the three VPN destination gateways with service 0.

    Create a VPN pool named vpn_ike. This pool contains the outside addresses of the three VPN destination gateways with service 500.

To define pools from the command line

Use the following syntax to define the pools at the command line:

b pool <pool_name> { member <member1> member <member2> ...> }

To create the configuration described in this solution, type the following commands:

b pool vpn_anyip { \

member 10.1.10.1:0 \

member 10.1.10.2:0 \

member 10.1.10.3:0 }

b pool vpn_ike { \

member 10.1.10.1:500 \

member 10.1.10.2:500 \

member 10.1.10.3:500 }

Defining the virtual servers

After you define the pools for the VPNs, you can define the following virtual servers, one to load balance Any IP (IPSEC) traffic, and one to load balance internet key exchange traffic.

To define the virtual server using the Configuration utility

Use this procedure for each BIG-IP that you need to configure.

  1. In the navigation pane, click Virtual Servers.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)
  4. Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
  5. For each of the two VPN load-balancing virtual servers:
  6. Click the Virtual Address Properties tab.
    The Virtual Address Properties screen opens.
  7. In the Any IP Traffic area, check the Enable box. Then click Apply.

    Configuration notes

    Create the virtual server 192.168.13.100:0 and use the pool vpn_anyip.

    Create the virtual server 192.168.13.100:500 and use the pool vpn_ike.

To define the virtual servers from the command line

Define the virtual servers from the command line as follows:

b virtual 192.168.13.100:0 use pool vpn_anyip

b virtual 192.168.13.100:500 use pool vpn_ike

Then, enable Any IP for both virtual servers:

b virtual 192.168.13.100 any_ip enable.

Enabling UDP

After you enable the Any IP feature for the virtual servers, enable UDP 500 so that the BIG-IP can handle internet key exchange (IKE) traffic:

b service 500 udp enable

Enabling persistence across services

Finally, complete the configuration by setting up persistence across services on the BIG-IP:

b global persist_across_services enable

IPSEC VPN sandwich configuration

You can load balance content servers to incoming IPSEC traffic by adding a second BIG-IP in a VPN sandwich configuration. Figure 8.2 shows the VPN sandwich configuration.

Figure 8.2 VPN load balancing between VPN gateways

When you set up the sandwich configuration, the configuration tasks you use are identical to those you use for the basic VPN IPSEC configuration. The exceptions are that you configure a load balancing pool and virtual server on the second BIG-IP. For example:

  • Create a VPN pool named server_pool. This pool contains as members the addresses of the four content servers: server1, server2, server3, and server4.
  • Create the virtual server 10.1.20.10:80 and use the pool server_pool.

Defining the additional pool

To create the pool using the Configuration utility

For the BIG-IP in Figure 8.2 labeled BIG-IP 2:

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration note

    Create a VPN pool named server_pool. This pool contains as members the addresses of the four content servers: server1, server2, server3, and server4.

To define the pool from the command line

Use the following syntax to define the pools from the command line:

b pool <pool_name> { member <member1> member < member2> ... > }

To create the configuration described in this solution, type the following command.

b pool server_pool { \

member 10.1.20.1:80 \

member 10.1.20.2:80 \

member 10.1.20.3:80 \

member 10.1.20.4:80 }

Defining the additional virtual server

To define the additional virtual server using the Configuration utility

For each BIG-IP to be configured:

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

To define the virtual server from the command line

To define the virtual server from the command line, type the following command.

b virtual 10.1.20.10:80 use pool server_pool

Additional configuration options

Whenever a BIG-IP is configured, you have a number of options:

  • You have the option in all configurations to configure a BIG-IP redundant system for fail-over. Refer to Chapter 6, Configuring a Redundant System, in the BIG-IP Reference Guide.
  • All configurations have health monitoring options. Refer to Health Monitors in Chapter 4, Configuring the High-Level Network, in the BIG-IP Reference Guide.
  • When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the Chapter 4, Configuring the High-Level Network, in the BIG-IP Reference Guide.