VPN Load Balancing on the CSM

You can load balance VPN connections across the CSM to increase the performance and provide redundancy to your VPN termination devices. Example 11-15 gives a dispatch-mode CSM VPN load balancing configuration.

Example 11-15. Configuring VPN Load Balancing on the CSM

 serverfarm vpn-farm   no nat server   no nat client   real 10.1.10.10    inservice   real 10.1.10.12    inservice  sticky 5 netmask 255.255.255.255 timeout 60  policy vpn-policy   sticky-group 5   serverfarm vpn-farm vserver vpn-ah   virtual 10.1.10.100 51   slb-policy vpn-policy   inservice  vserver vpn-esp   virtual 10.1.10.100 50   slb-policy vpn-policy   inservice vserver vpn-ike   virtual 10.1.10.100 udp 500   slb-policy vpn-policy   inservice 

Note

The CSS does not support VPN load balancing because it does not understand the IPSec protocols.

To configure your CSM for VPN load balancing, you must create virtual servers for the Authentication Header (AH), Encrypted Security Payload (ESP), and Internet Key Exchange (IKE) protocols. Similar to SSL, IPsec-based VPNs use multiple TCP connections to establish VPN sessions. Therefore, to ensure that clients stick to the same VPN concentrator across TCP connections, you should configure source IP address stickiness using the sticky netmask command.

Note

If you want to configure directed-mode VPN load balancing, simply enter the command nat server in server farm configuration mode. Be cautious when rewriting fields within VPN traffic on your content switch because many VPN protocols have security features that protect the integrity of VPN messages.