5

VPN Load Balancing

VPN load balancing

You can use the BIG-IP Controller to load balance virtual private network (VPN) gateways used to connect two private networks. Since neither translation nor load balancing is required, you can combine a forwarding virtual server with a last hop pool.

Figure 5.1 An example of a VPN load balancing configuration

Configuring interfaces for VPN load balancing

A VPN load balancing configuration requires special interface configuration. You must configure the interfaces on the redundant BIG-IP Controller system (1a and 1b, and 2a and 2b, in Figure 5.1) to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the VPN load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface. Use the following command to turn destination processing on for the internal interface, in this example, the interface name is exp1:

bigpipe interface exp1 dest enable

Use the following command to turn source processing on for the external interface, in this example, the interface name is exp0:

bigpipe interface exp0 source enable

Configuring virtual servers for VPN load balancing

In the following examples only the configuration for the BIG-IP Controller on network 192.168.11 are shown (controllers 2a and 2b). The configuration for 192.168.13 is the same, only with different network numbers. Since VPNs are connection-oriented, you must set up a last hop pool for sending the return traffic back through the VPN that originated the traffic. After you create the pools, you can create the virtual servers that reference these pools.

Defining the pools for VPN load balancing

First, define the pool vpn_insides for the internal addresses of the VPN routers. Use the following command to create the pool vpn_insides:

bigpipe pool vpn_insides { lb_mode rr member <vpn1>:22 member
<vpn2>:22 member <vpn3>:22 }

Replace <vpn1>, <vpn2>, and <vpn3> with internal IP address of the respective routers. In this example the routers are service checked on port 22. Also note that this example uses the global round robin load balancing method.

Finally, define the pool server_pool for the nodes that handle the requests to virtual server 205.100.19.22:80:

bigpipe pool server_pool { lb_mode rr member <server1>:80 member
<server2>:80 member <server3>:80 }

Replace <server1>, <server2>, and <server3> with internal IP address of the respective server. Also note that this example uses the global round robin load balancing method.

Defining the virtual servers for VPN load balancing

After you define the pools for the inside IP addresses of the routers, you can define the virtual servers for the redundant BIG-IP Controllers 2a and 2b.

• Configure the redundant controllers to load balance inbound connections
• Configure the redundant controllers to load balance outbound connections

Inbound configuration

First, configure the controllers to handle inbound traffic from the remote network.

Create the virtual servers for controllers 2a and 2b with the following commands:

bigpipe vip 192.168.13.1:0 exp1 forward

bigpipe vip 192.168.13.2:0 exp1 forward

bigpipe vip 192.168.13.3:0 exp1 forward

Configure the virtual servers to use the last hop pool with the inside VPN router addresses:

bigpipe vip 192.168.13.1:0 lasthop pool vpn_insides

bigpipe vip 192.168.13.2:0 lasthop pool vpn_insides

bigpipe vip 192.168.13.3:0 lasthop pool vpn_insides

Outbound configuration

Next, configure controllers 2a and 2b to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the VPN routers (vpn_insides). Use the following commands to create virtual servers for connecting to the machines on the remote network:

bigpipe vip 192.168.11.1:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.1:0 translate addr disable

bigpipe vip 192.168.11.1:0 translate port disable

bigpipe vip 192.168.11.2:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.2:0 translate addr disable

bigpipe vip 192.168.11.2:0 translate port disable

bigpipe vip 192.168.11.3:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.3:0 translate addr disable

bigpipe vip 192.168.11.3:0 translate port disable

The addresses 192.168.11.1, 192.168.11.2, and 192.168.11.3 correspond to the IBM Compatible, Tower box, and Mac Classic on the remote network in Figure 5.1. Note that port translation has been turned off because the members in the vpn_insides pool were defined with port 22 for service checking. If port translation is not disabled, then all outbound connections would be translated to port 22.

VPN and router load balancing

You can use the transparent device load balancing feature in the BIG-IP Controller to connect two private networks as well as load balance internet connections through multiple routers. Figure 5.2 is an example of this network configuration.

Figure 5.2 An example of a VPN and multiple router load balancing configuration

Configuring interfaces for VPN load balancing

A VPN load balancing configuration requires special interface configuration. The interfaces on the redundant BIG-IP Controller system (1a and 1b, and 2a and 2b, in Figure 5.2) must be set to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for VPN load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface. Use the following command to turn destination processing on for the internal interface, in this example, the interface name is exp1:

bigpipe interface exp1 dest enable

Use the following command to turn source processing on for the external interface, in this example, the interface name is exp0:

bigpipe interface exp0 source enable

Configuring virtual servers for VPN and router load balancing

In the following examples, only the configuration for the BIG-IP Controller on network 192.168.11 are shown (controllers 2a and 2b). The configuration for 192.168.13 is the same, only with different network numbers. Since VPNs are connection-oriented, VPN and router load balancing requires you to create a pool for the inside interfaces on the VPNs and routers. After you create the pool, you can create the virtual servers that reference these pools.

Defining the pools for VPN load balancing

First, define the pool vpn_insides for the internal addresses of the VPN routers. Use the following command to create the pool vpn_insides:

bigpipe pool vpn_insides { lb_mode rr member <vpn1>:0 member
<vpn2>:0 member <vpn3>:0 }

Replace <vpn1>, <vpn2>, and <vpn3> with external IP address of the respective routers. Also note that this example uses the global round robin load balancing method.

Defining pools for the additional routers

Next, define the pool routers_insides for the internal addresses of the routers. Use the following command to create the pool routers_insides:

bigpipe pool routers_insides { lb_mode rr member <router1>:0 member
<router2>:0 }

Replace <router1> and <router2> with internal IP address of the respective routers. Also note that this example uses the global round robin load balancing method.

Defining a pool for the servers

Next, define the pool server_pool for the nodes that handle the requests to virtual server 205.100.19.22:80:

bigpipe pool server_pool { lb_mode rr member <server1>:80 member
<server2>:80 member <server3>:80 }

Replace <server1>, <server2>, and <server3> with IP address of the respective server. Also note that this example uses the global round robin load balancing method.

Defining a pool for all inbound traffic sources

Finally, define the pool inbound_sources for all machines that can originate traffic for the virtual server 205.100.19.22:80:

bigpipe pool inbound_sources { lb_mode rr member <vpn1>:80 member
<vpn2>:80 member <vpn3>:80 member <router1>:80 member
<router2>:80 member <server1>:80 member <server2>:80 member
<server3>:80 }

Replace <vpn1>, <vpn2>, and <vpn3> with internal IP address of the respective routers. Replace <server1>, <server2>, and <server3> with IP address of the respective server. Replace <router1> and <router2> with internal IP address of the respective routers. Also note that this example uses the global round robin load balancing method.

Defining the virtual servers for the additional internet connection

After you define the pools for the inside IP addresses of the routers, you can define the virtual servers for the redundant BIG-IP Controllers 2a and 2b.

• Configure the redundant controllers to load balance inbound connections
• Configure the redundant controllers to load balance outbound connections

Inbound configuration for the VPNs

First, configure the controllers to handle inbound traffic from the remote network.

Create the virtual server for controllers 2a and 2b with the following commands:

bigpipe vip 192.168.13.1:0 exp1 forward

bigpipe vip 192.168.13.2:0 exp1 forward

bigpipe vip 192.168.13.3:0 exp1 forward

Configure the virtual server to use the last hop pool with the inside VPN router addresses:

bigpipe vip 192.168.13.1:0 lasthop pool vpn_insides

bigpipe vip 192.168.13.2:0 lasthop pool vpn_insides

bigpipe vip 192.168.13.3:0 lasthop pool vpn_insides

Note that by using the last hop pool vpn_insides, only connections that originate from the remote network, through the VPNs, will be allowed to connect to the local 192.168.11 network.

Outbound configuration for the VPNs

Next, configure controllers 2a and 2b to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the VPN routers (vpn_insides). Use the following commands to create virtual servers for connecting to the machines on the remote network:

bigpipe vip 192.168.11.1:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.1:0 translate addr disable

bigpipe vip 192.168.11.2:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.2:0 translate addr disable

bigpipe vip 192.168.11.3:0 exp1 use pool vpn_insides

bigpipe vip 192.168.11.3:0 translate addr disable

The addresses 192.168.11.1, 192.168.11.2, and 192.168.11.3 correspond to the IBM Compatible, Tower box, and Mac Classic on the remote network in Figure 5.1, on page 5-2.

Inbound configuration for internet traffic

First, configure the controllers to handle inbound traffic.

Create the virtual server for controllers 1a and 1b with the following command:

bigpipe vip 205.100.92.22:80 use pool server_pool

Configure the virtual server to use the last hop pool with the routers inside addresses:

bigpipe vip 205.100.92.22:http lasthop pool inbound_sources

Note that by using the last hop pool inbound_sources, this virtual server will accept connections that originate from either the remote network via the VPNs, or from the internet via the routers.

Outbound configuration for internet traffic

Next, configure controllers 1a and 1b to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the routers (router_insides). Use the following command to create the virtual server:

bigpipe vip 0.0.0.0:0 exp1 use pool router_insides