What is the minimum traffic which should be permitted to reach a VPN Cluster address (assuming this can be restricted through an upstream router or within a firewall ruleset) from the outside world?
My understanding is that the VPN client will first connect to the virtual cluster address and then be redirected to the Public IP address one of the cluster members during IKE negotiation. This implies that only UDP 500 (and the port associated with IPSec over TCP, e.g. 10000) need be permitted to the virtual cluster address. Therefore ESP, UDP 4500, UDP 10000 need only be permitted to the Public IP addresses of the cluster members.