Re: VPN concentrator behind CSS

wilson_1234_2 · ‎07-30-2007

I would like to set up a 3005 VPN Concentrator behind a CSS device.

How many services need to be set up for this?

Is the a sample config somewhere that would show what is needed?

Gilles Dufour · ‎07-31-2007

do you want to loadbalance the vpn connections ? Or simply route the traffic through the CSS ?

For basic routing, no service is required.

Gilles.

wilson_1234_2 · ‎07-31-2007

I want to do a failover solution to a different ip subnet, but use the same DNS name.

So, You can call it a load balancing situation.

I will need to set up a VIP and services and a service group maybe?

Can I do that?

Gilles Dufour · ‎07-31-2007

the CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that.

If tcp/udp mode, you will then configure the CSS just like if the vpn was a server [like http].

So you create a service for the vpn address, then a content rule using this service.

A group is only required if you need to nat the client ip address ie: to guarantee that the response from the vpn goes back to the css.

With this config, the css will nat the destination ip [the vip] with the vpn ip [service ip].

I'm not a vpn expert but I assume this is ok. If not, you can configure the service to be in transparent mode.

Gilles.

wilson_1234_2 · ‎07-31-2007

Thanks for the reply,

So,

When you mentioned this:

"The CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that."

Were you mentioning this from a security perspective?

Gilles Dufour · ‎07-31-2007

no, in terms of security ipsec or ipsec over tcp are identical.

Just wanted you to know that plain ipsec would not go through the CSS.

Gilles.