Full VPN setup with IP pool and routing via specific GW

[Kari Ruissalo]

Hi,

 

 

I'm building an SSL VPN setup for a customer. They have a couple of requirements that I need to address first:

• The connection needs to be Full VPN, so Split VPN is not an option, they want the endpoint web traffic to flow through the VPN connection and their web proxy
• The clients need to be assigned with an IP from a specific subnet and all traffic needs to be routed through that subnets GW address

 

... so it would look like this:

 

 

I've read through the article CTX216402 and the VPN is established. However, the user gets the IP from the assigned IP pool and can ping that pools gateway address as well as the NetScaler SNIP in that subnet, but on the ipconfig shows that the default route (for the VPN interface) points to GW address 10.0.0.1. I think I got this resolved in another case by applying a Policy Based Route, using following commands:

 

add ns pbr pbr_vpn.customer.com ALLOW -srcIP = 10.123.123.0-10.123.123.255 -destIP = 0.0.0.0-* -nextHop 10.123.123.1 -vlan 123 -priority 10 -kernelstate SFAPPLIED61
apply ns pbrs

 

This seems to be working if I turn of the Windows Firewall on the client, but if it's enabled, all access is denied. There's probably no way to push FW settings to the client using the Gateway plugin?

[Kari Ruissalo]

After I disabled the Windows Firewall and the re-enabled it the connections started flowing properly. I'll continue with other requirements (Always-on, quarantine and cert auth ...)

[Kari Ruissalo]

Now we're seeing constantly a "Gateway not reachable" -error on the client and can't even ping the subnet GW address. I just realized that could my issue be that I'm trying to use "an existing subnet" for the IP Pool?

 

Should I rather try defining a subnet which is not in the routing topology currently at all and then route to that network using NetScaler SNIP as the GW? I recall that this might have solved the issue in another case.

 

So, initially I was thinking of the following setup:

 

... but now that I'm thinking this a bit further, this might be closer to a working setup (?):

[Patrick Weichmann1709154577]

Hi,

 

I won't be much help to you as I'm struggling myself through the VPN Deployment ;)

 

But in my case using IIP in an existing network or in a dummy network worked without any issue. We have decided to use now a dummy network with a /22 to have enough IPs.

 

 

[Kari Ruissalo]

Got this one figured out. NetScaler needs to "own" the IP addresses and the surrounding routing configuration needs to reach that IP segment via NetScaler SNIP. I struggled to understand this same exact thing earlier and did the same now :D

[Derek Black]

Full VPN (No Split Tunnel)

 

The IIP (IP Pool) should be an unused/non-routable subnet.  You will need a static route on your layer 3 switches to direct traffic from your local resources (Intranet) to the SNIP of the NSG (where the traffic originated from) to prevent asymmetrical routing and ensure traffic is routed back to the NSG.

Here is Citrix's diagram of the traffic flow https://support.citrix.com/article/CTX233720

 

My diagram is of a two-arm deployment where the VIP lives in the DMZ.  Due to this we had to create a PBR to direct all traffic from the IIP range to the internal gateway so that external traffic would flow properly.  Without the PBR, external traffic was routed to the external firewall in the DMZ which detected it as being spoofed and dropped it.  From a security standpoint we didn't want our VPN clients "living" in the DMZ as there are nothing in the DMZ they need talk to and should not be talking directly to the external firewall.  We wanted the traffic to flow as if they they were on the LAN.

 

add ns pbr pbr_VPN_Clients  allow -srcip 10.10.10.0-10.10.10.255 -destip 0.0.0.0-255.255.255.255 -nexthop 192.168.1.253

 

 

[Kari Ruissalo]

Hi dblack84032,

 

 

That's something I learned during my tests as well. Just forgot about updating it to the discussions. Thanks for sharing!

[Tokio Marine Egypt]

Hello Guys,

Greetings,

 

Kindly i am asking for help regarding an issue with intranet IPs which you talked about earlier , i am having the a vpx netscale version 13 i created added the subnet to the netscaler on a test group and the users got it but i am missing how to configure the routes from netscaler and from our firewall (acting as router) we have the netscaler SNIP/NSIP and VIP in the same subnet 192.168.15.x and i gave the subnet 10.10.10.x , our vpx is working on our DMZ network and HA mode is not enabled, so i just need to know what i should route from and to , also notice that in the normal way without the IIP we are working fine and the netscaler can reach our firewall and routed to the internal network through the SNIP so if there is any info about how we can flow and route the traffic, it will be appreciated.