Prior to LoadMaster firmware version 7.2.53, the LoadMaster only supported policy-based Virtual Private Networks (VPNs). As of LoadMaster version 7.2.53, route-based VPN support has been introduced. The route-based VPN functionality is available as an add-on pack which you can download from the LoadMaster Add-on Packages page. When you have the add-on file, install it in System Configuration > System Administration > Update Software. Reboot the LoadMaster after installing the add-on to activate it (System Configuration > System Administration > System Reboot).

Note: The route-based VPN add-on is only supported in firmware version 7.2.53 and above.
Note: The LoadMaster route-based VPN functionality is based on the strongSwan IPsec VPN solution. For more details on strongSwan documentation, refer to the strongSwan website link https://www.strongswan.org/.

After installing the add-on and rebooting the LoadMaster, a new main menu option becomes available: System Configuration > Network Setup > Route Based VPN. Specify a unique name to identify the connection and click Create.

After configuring the details of the VPN connection, you can also see the Connection Debug options:

  • Stop and start the IPsec daemon on the LoadMaster.

  • Display the connection status.

  • Display routes.

  • Show logs.

Connection Name

Specify a unique name to identify the connection.

Create

Create a uniquely identifiable connection with the specified name.

View/Modify

View or modify the configuration parameters for this connection.

Delete

Delete this connection.

Note: Ensure the Connection Name is the same as the connection name in the ipsec.conf file you will be uploading.
Note: The Connection Name must be at least three and at most 20 characters in length. Valid characters are a-z, A-Z, 0-9, _, and -.

After creating the connection initially, you must upload the connection configuration, route configuration, and secrets files based on the strongSwan standard format. These files provide support for multiple configuration option which user can configure strongswan IPsec based on their requirement.

Note: Ensure to set the left IP address in the ipsec.conf file to your LoadMaster IP address (eth0).

Once the files have been uploaded and validated, the Connection Details are shown in the fields on the View/Modify VPN Connection screen.

View/Modify VPN Connection

Local IP Address

Display the IP address for the local side of the connection.

In non-HA mode, the Local IP Address should be the LoadMaster IP address, that is, the IP address of the default gateway interface.

In HA-mode, the Local IP Address should be the shared IP address. This will be automatically populated if HA has already been configured. For more information on setting up tunneling in a HA configuration, refer to the next section.

Local Subnet(s)

Display the Local Subnet(s) for the local side of the connection.

Remote IP Address

Display the IP address for the remote side of the connection. In the context of an Azure endpoint, this IP address is expected to be the public-facing IP address for the Virtual Private Network (VPN) Gateway device.

Remote Subnet(s)

Display the subnet for the remote side of the connection.

Connection Config file

Click the Choose File, browse to and select the file and click Update Config. The configuration file contains default value conn %deafult for all the IPsec connection configured. This configuration is given directly to the strongswan IPsec engine. . The format of Connection Config file contains following parameters:

conn %default

dpddelay=30

dpdtimeout=120

dpdaction=restart

ikelifetime=28800s

#keylife=20m

keylife=1d

rekeymargin=3m

keyingtries=1

authby=secret

keyexchange=ikev2

mobike=yes

ike=aes256-sha384-ecp384

esp=aes256-sha384-ecp384,aes256gcm16

conn routevpn

left=10.35.45.170

leftsubnet=10.35.99.170/32

right=65.51.241.146

rightsubnet=10.0.70.1/32

leftid=78.56.45.56

rightid=%any

mark=1

auto=start

ikelifetime=1h

lifetime = 1h

margintime = 9m

rekeyfuzz = 100%

ike=aes256gcm16-sha384-modp2048

esp=aes256gcm16-sha384-modp2048

Route Config file

Click the Choose File, browse to and select the file and click Update Route. The Route Config file contains routing information to route packet to specific remote network using the IPsec tunnel created. The format of Route Config file contains following parameters:

<LEFT IP> <RIGHT IP> <REMOTE NETWORK> <SOURCE IP>

Secrets file

Click the Choose File, browse to and select the file and click Update Secrets. The Secrets file contains the remote and local endpoint address and the secrets to communicate with the remote endpoint. The format example of Secret file is:

10.35.45.170 65.51.241.146 %any: PSK "fE31$I#%w&"

Show IPsec Status

You can display the connection status by clicking IPSec Status.

Show Logs

You can display the connection logs by clicking Logs.