Forum Discussion
Node command troubles
Aaron
- BinaryCanary_19Jan 09, 2014Historic F5 Account
IPSec traffic doesn't play well with load balancing, or address translation of any kind. I don't think this is a wise approach.
In any case, if you are not load balancing, but merely using the BIGIP as a NAT device in-between, then you should be able to configure NAT traversal for your IPSec tunnel. YOu will need to read the documentation of the communicating peers to find out how to do that. Then you will need to open the necessary ports on the BIGIP.
- BinaryCanary_19Jan 09, 2014Historic F5 AccountThe tcpdump snippet you have shared is not sufficient to make any deductions as to what is happening.
- LuisPuma_134788Jan 10, 2014
Altostratus
Hello aFanen01,
You are right.
Even though I have an LTM/GTM load balancer and three links, I just configured one virtual server (Public IP) to handle the VPN IPsec Traffic. I just need to NAT the incoming and outgoing traffic. I will follow your advice. I will appreciate if you can give any other suggestion after reading this. Thanks a lot.
Regards
LP
- LuisPuma_134788Jan 13, 2014
Altostratus
Hello,
I followed up this article http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html?sr=34381625 even though it says hat F5 is a peer vpn. The specifications of the VPN are: IKE - PHASE 1 Encryption Scheme:IKE Diffie-Hellman Group:DH 2 (1024 bits) Encryption Algorithm:AES-256 Hashing Algorithm (Data Integrity):SHA1 Main or Aggressive Mode: MAIN Lifetime (for renegotiation) in minutes:480
IPSEC - PHASE 2 Encapsulation (ESP or AH):ESP Data Encryption Algorithm:AES-256 Authentication Algorithm (Data Integrity):SHA1 Perfect Forward Secrecy DH Group:Disabled Lifetime (for renegotiation) in seconds:3600 Lifesize in KB (for renegotiation):Does not apply Key Exchange For Subnets?: YES
Would I need to configure something in the IPSEC tab under Network option?
Thanks in advance
LP
- BinaryCanary_19Jan 14, 2014Historic F5 AccountAre you configuring IPSec between the F5 and another device, or is the F5 just a NAT device inbetween the actual IPSec peers?
- LuisPuma_134788Jan 13, 2014
Altostratus
Just issued a capture. It shows that the F5 is always changing the port to 14270 value. xxx.xxx.xxx.xxx is te client IP and the yyy.yyy.yyy.yyy is the virtual server configured in the F5.
[root@ns2:Active:Changes Pending] config tcpdump -n -i 0.0:nnn host xxx.xxx.xxx.xxx tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 96 bytes 16:45:34.278919 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I] 16:45:34.278935 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I] 16:45:34.367242 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa ikev2_init[] 16:45:34.626446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:39.553492 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:40.576115 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:41.592765 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:42.571266 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:42.571282 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident 16:45:42.663164 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf 16:45:44.571349 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:44.571366 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident 16:45:44.643419 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:44.671446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf 16:45:46.571440 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:46.571456 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident
- BinaryCanary_19Jan 14, 2014Historic F5 AccountF5 Changes source port by default (ports are used for load-balancing traffic processing jobs internally). It should be possible to modify that behaviour by looking at the "Source Port Preserve" settings on the Virtual Server. However, I can't recall if ISAKMP is sensitive to source ports, so I'm not sure if that even matters. Note also that if you change the source-port preserve setting from default, you may also need to demote CMP for that VIP in order to avoid "packet loss". By demoting CMP, only CPU0/TMM0 will handle the traffic for that VIP, which is what you want when you disable source port translation. If you are concerned about the privacy of your IP addresses, you should create a support case.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com