VPN concentrator behind CSS

Unanswered Question
Jul 30th, 2007

I would like to set up a 3005 VPN Concentrator behind a CSS device.

How many services need to be set up for this?

Is the a sample config somewhere that would show what is needed?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Gilles Dufour Tue, 07/31/2007 - 01:13

do you want to loadbalance the vpn connections ? Or simply route the traffic through the CSS ?

For basic routing, no service is required.

Gilles.

wilson_1234_2 Tue, 07/31/2007 - 03:21

I want to do a failover solution to a different ip subnet, but use the same DNS name.

So, You can call it a load balancing situation.

I will need to set up a VIP and services and a service group maybe?

Can I do that?

Gilles Dufour Tue, 07/31/2007 - 07:19

the CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that.

If tcp/udp mode, you will then configure the CSS just like if the vpn was a server [like http].

So you create a service for the vpn address, then a content rule using this service.

A group is only required if you need to nat the client ip address ie: to guarantee that the response from the vpn goes back to the css.

With this config, the css will nat the destination ip [the vip] with the vpn ip [service ip].

I'm not a vpn expert but I assume this is ok. If not, you can configure the service to be in transparent mode.

Gilles.

wilson_1234_2 Tue, 07/31/2007 - 08:14

Thanks for the reply,

So,

When you mentioned this:

"The CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that."

Were you mentioning this from a security perspective?

Gilles Dufour Tue, 07/31/2007 - 22:58

no, in terms of security ipsec or ipsec over tcp are identical.

Just wanted you to know that plain ipsec would not go through the CSS.

Gilles.

Actions

This Discussion