Forum Discussion

I_R_101_110's avatar
Mar 30, 2022

BIG-IP Sourced Traffic Over IPSec

Good afternoon team,

I am attempting to build an IPSec tunnel between F5's in a multi-cloud environment. Phase 1 comes up but I cannot seem to make my traffic match the traffic selectors. I've tried using several different traffic selectors such as pairs that match self IP on the interfaces, self IP's on the tunnel interfaces, all zeroes to force a route based VPN. Even though I explicily source my pings, traffic never matches the traffic selector.  I get zero hits on the traffic selector and tcpdumps reveal that no ESP packets are sent; only IPSec negotiation packets.


I just want to know that it's possible to source traffic on the same F5 that the tunnel is built on. I have been successful with other IPSec tunnels with the F5 but never where the F5 is the traffic source.  IPSec on the F5 has always been almost the most convoluted out of all vendors (except for perhaps CP) so it wouldn't surprise me that I am trying for something that isn't even possible. Please community, confirm for me one way or the other. 

Kind regards,


2 Replies

  • In your config there should be a VLAN assocated with the tunnel and you should have a self-ip associated with it.  For example let's assume you have a VLAN named TUNNEL_VLAN and you have an address range of and have assinged to the BIG-IP you are logged in as and you have assinged to the remote end.  The traffic selector you have configured at least encompasses that range:

    net ipsec traffic-selector selector-vpn-a5294dfd-0 {


        ipsec-policy ipsec-policy-vpn-a5294dfd-0

        partition LOCAL_ONLY


    And asssuming the rest of you BIG-IP VPN config looks correct (this is an example of a BIG-IP in AWS setting up an IPSEC tunnel), and you are allowing ICMP on your self-IPs.

    net ipsec ike-peer peer-vpn-a5294dfd-0 {

        lifetime 480

        nat-traversal on

        phase1-auth-method pre-shared-key

        phase1-encrypt-algorithm aes128

        preshared-key-encrypted $M$uF$m+crQ1tis.....

        remote-address X.X.X.X

        version { v1 }


    net ipsec ipsec-policy ipsec-policy-vpn-a5294dfd-0 {

        ike-phase2-auth-algorithm sha1

        ike-phase2-encrypt-algorithm aes128

        ike-phase2-lifetime 60

        ike-phase2-perfect-forward-secrecy modp1024

        mode interface

        partition LOCAL_ONLY


    Then the following command should put traffic from your BIG-IP onto the tunnel matching the selector -


  • You can do this but but first I would recommend two things:

    1. Use IKEv2
    2. Use Route-based tunnels only with a traffic selector of for both the source and destination.

    I have yet to come across a piece of equipment where we are unable to successfully build a IKEv2 route-based tunnel. Do take note of

    There are two ways to route traffic into the tunnel:

    1. Routes are created on the Big-IP to funnel traffic into the appropriate tunnel. One issue with this solution is that if you have multiple tunnels terminating on the same Big-IP then traffic can flow from one tunnel to the other based on these routes. This may be good or bad depending on your requirement.

    2. A virtual server is created for each of the individual routes that must be reached through the tunnel on the remote network. This virtual server will have a pool with one member which points to the far end of the transport tunnel. The virtual server will also listen only to the source IP and/or vlan you choose. Use this option if you want to ensure that traffic cannot flow between tunnels.