VPN Load Balancing on the CSM

You can load balance VPN connections across the CSM to increase the performance and provide redundancy to your VPN termination devices. Example 11-15 gives a dispatch-mode CSM VPN load balancing configuration.

Example 11-15. Configuring VPN Load Balancing on the CSM

serverfarm vpn-farm
  no nat server
  no nat client
  real 10.1.10.10
   inservice
  real 10.1.10.12
   inservice

 sticky 5 netmask 255.255.255.255 timeout 60

 policy vpn-policy
  sticky-group 5
  serverfarm vpn-farm

vserver vpn-ah
  virtual 10.1.10.100 51
  slb-policy vpn-policy
  inservice

 vserver vpn-esp
  virtual 10.1.10.100 50
  slb-policy vpn-policy
  inservice

vserver vpn-ike
  virtual 10.1.10.100 udp 500
  slb-policy vpn-policy
  inservice

Note

The CSS does not support VPN load balancing because it does not understand the IPSec protocols.

To configure your CSM for VPN load balancing, you must create virtual servers for the Authentication Header (AH), Encrypted Security Payload (ESP), and Internet Key Exchange (IKE) protocols. Similar to SSL, IPsec-based VPNs use multiple TCP connections to establish VPN sessions. Therefore, to ensure that clients stick to the same VPN concentrator across TCP connections, you should configure source IP address stickiness using the sticky netmask command.

Note

If you want to configure directed-mode VPN load balancing, simply enter the command nat server in server farm configuration mode. Be cautious when rewriting fields within VPN traffic on your content switch because many VPN protocols have security features that protect the integrity of VPN messages.

Preventing Connection Table Flooding using SYN-Cookies

To avoid filling up its connection table during SYN-flood-based Denial of Service (DoS) attacks, the CSM uses SYN-cookies, which were covered briefly in Chapter 4. With SYN-flood attacks, the attacker sets random source IP addresses in numerous SYN packets that it sends to its victim. The victim receives the SYN packet, creates an entry in its connection table, responds with a TCP SYN-ACK packet, and awaits the final ACK segment from the sender. The final segment never arrives. Thus, the victim's connection fills very quickly with incomplete TCP connection entries.

However, with SYN-cookies, instead of allocating a record for every SYN segment from its clients , the CSM sends SYN-ACK segments with carefully constructed sequence numbers generated as a hash of connection's 4-tuple, the Maximum Segment Size, and a secret that continuously changes as time goes by. The connection 4-tuple contains the source and destination IP addresses and source and destination ports. When valid clients respond to the SYN-ACK with an ACK, they will include this special sequence number, which the CSM can verify before creating the connection entry. Without SYN-cookies, the CSM creates connection entries when it receives the initial SYN packet from clients. With SYN-cookies, the CSM creates the connection when it verifies the client's ACK segment to complete the connection. Because SYN-flood attackers typically do not respond to SYN-ACK segments, the SYN-flood traffic will not flood the CSM's connection table. Figure 11-7 illustrates SYN-cookies in practice.

Figure 11-7. Using SYN-Cookies to Prevent SYN-Flood Traffic from Flooding the CSM Connection Table

Summary

In this Chapter, you learned how to configure the following technologies on your content switches:

Secure Sockets Layers (SSL) Termination You learned how to configure your CSS and CSM to terminate SSL connections on behalf of clients .
Firewall Load Balancing (FWLB) You learned how to configure your CSS and CSM to distribute client traffic across multiple firewalls.
Virtual Private Network (VPN) Load Balancing (FWLB) You learned how to configure your CSM to distribute client traffic across multiple VPN concentrators .
SYN-Cookies for SYN-Flood Protection You learned how the CSM uses SYN-cookies to prevent SYN-flood attacks from flooding the CSM's connection table.

Content switching enables you to increase the performance of your SSL, firewall, and VPN devices, in terms of packets per second, connections per second, and bandwidth. You can also increase the scalability of these devices with content switching technologies.