Kari Ruissalo Posted July 3, 2018 Share Posted July 3, 2018 Hi, I'm building an SSL VPN setup for a customer. They have a couple of requirements that I need to address first: The connection needs to be Full VPN, so Split VPN is not an option, they want the endpoint web traffic to flow through the VPN connection and their web proxy The clients need to be assigned with an IP from a specific subnet and all traffic needs to be routed through that subnets GW address ... so it would look like this: I've read through the article CTX216402 and the VPN is established. However, the user gets the IP from the assigned IP pool and can ping that pools gateway address as well as the NetScaler SNIP in that subnet, but on the ipconfig shows that the default route (for the VPN interface) points to GW address 10.0.0.1. I think I got this resolved in another case by applying a Policy Based Route, using following commands: add ns pbr pbr_vpn.customer.com ALLOW -srcIP = 10.123.123.0-10.123.123.255 -destIP = 0.0.0.0-* -nextHop 10.123.123.1 -vlan 123 -priority 10 -kernelstate SFAPPLIED61 apply ns pbrs This seems to be working if I turn of the Windows Firewall on the client, but if it's enabled, all access is denied. There's probably no way to push FW settings to the client using the Gateway plugin? Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted July 3, 2018 Author Share Posted July 3, 2018 After I disabled the Windows Firewall and the re-enabled it the connections started flowing properly. I'll continue with other requirements (Always-on, quarantine and cert auth ...) Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted July 6, 2018 Author Share Posted July 6, 2018 Now we're seeing constantly a "Gateway not reachable" -error on the client and can't even ping the subnet GW address. I just realized that could my issue be that I'm trying to use "an existing subnet" for the IP Pool? Should I rather try defining a subnet which is not in the routing topology currently at all and then route to that network using NetScaler SNIP as the GW? I recall that this might have solved the issue in another case. So, initially I was thinking of the following setup: ... but now that I'm thinking this a bit further, this might be closer to a working setup (?): Link to comment Share on other sites More sharing options...
Patrick Weichmann1709154577 Posted August 6, 2018 Share Posted August 6, 2018 Hi, I won't be much help to you as I'm struggling myself through the VPN Deployment ;) But in my case using IIP in an existing network or in a dummy network worked without any issue. We have decided to use now a dummy network with a /22 to have enough IPs. Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted August 6, 2018 Author Share Posted August 6, 2018 Got this one figured out. NetScaler needs to "own" the IP addresses and the surrounding routing configuration needs to reach that IP segment via NetScaler SNIP. I struggled to understand this same exact thing earlier and did the same now :D 1 Link to comment Share on other sites More sharing options...
Derek Black Posted April 18, 2019 Share Posted April 18, 2019 Full VPN (No Split Tunnel) The IIP (IP Pool) should be an unused/non-routable subnet. You will need a static route on your layer 3 switches to direct traffic from your local resources (Intranet) to the SNIP of the NSG (where the traffic originated from) to prevent asymmetrical routing and ensure traffic is routed back to the NSG. Here is Citrix's diagram of the traffic flow https://support.citrix.com/article/CTX233720 My diagram is of a two-arm deployment where the VIP lives in the DMZ. Due to this we had to create a PBR to direct all traffic from the IIP range to the internal gateway so that external traffic would flow properly. Without the PBR, external traffic was routed to the external firewall in the DMZ which detected it as being spoofed and dropped it. From a security standpoint we didn't want our VPN clients "living" in the DMZ as there are nothing in the DMZ they need talk to and should not be talking directly to the external firewall. We wanted the traffic to flow as if they they were on the LAN. add ns pbr pbr_VPN_Clients allow -srcip 10.10.10.0-10.10.10.255 -destip 0.0.0.0-255.255.255.255 -nexthop 192.168.1.253 1 Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted May 29, 2019 Author Share Posted May 29, 2019 Hi dblack84032, That's something I learned during my tests as well. Just forgot about updating it to the discussions. Thanks for sharing! Link to comment Share on other sites More sharing options...
Tokio Marine Egypt Posted July 13, 2020 Share Posted July 13, 2020 Hello Guys, Greetings, Kindly i am asking for help regarding an issue with intranet IPs which you talked about earlier , i am having the a vpx netscale version 13 i created added the subnet to the netscaler on a test group and the users got it but i am missing how to configure the routes from netscaler and from our firewall (acting as router) we have the netscaler SNIP/NSIP and VIP in the same subnet 192.168.15.x and i gave the subnet 10.10.10.x , our vpx is working on our DMZ network and HA mode is not enabled, so i just need to know what i should route from and to , also notice that in the normal way without the IIP we are working fine and the netscaler can reach our firewall and routed to the internal network through the SNIP so if there is any info about how we can flow and route the traffic, it will be appreciated. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now