F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus
Mar 29, 2022

BIG-IP Sourced Traffic Over IPSec

Good afternoon team, I am attempting to build an IPSec tunnel between F5's in a multi-cloud environment. Phase 1 comes up but I cannot seem to make my traffic match the traffic selectors. I've tried...
application delivery
cloud
Heath_Parrott's avatar
Heath_Parrott
Ret. Employee
Mar 31, 2022

In your config there should be a VLAN assocated with the tunnel and you should have a self-ip associated with it.  For example let's assume you have a VLAN named TUNNEL_VLAN and you have an address range of 172.16.1.0/30 and have assinged 172.16.1.1 to the BIG-IP you are logged in as and you have assinged 172.16.1.2 to the remote end.  The traffic selector you have configured at least encompasses that range:

net ipsec traffic-selector selector-vpn-a5294dfd-0 {

    destination-address 172.16.1.0/30

    ipsec-policy ipsec-policy-vpn-a5294dfd-0

    partition LOCAL_ONLY

    source-address 172.16.1.0/30

And asssuming the rest of you BIG-IP VPN config looks correct (this is an example of a BIG-IP in AWS setting up an IPSEC tunnel), and you are allowing ICMP on your self-IPs.

net ipsec ike-peer peer-vpn-a5294dfd-0 {

    lifetime 480

    nat-traversal on

    phase1-auth-method pre-shared-key

    phase1-encrypt-algorithm aes128

    preshared-key-encrypted $M$uF$m+crQ1tis.....

    remote-address X.X.X.X

    version { v1 }

}

net ipsec ipsec-policy ipsec-policy-vpn-a5294dfd-0 {

    ike-phase2-auth-algorithm sha1

    ike-phase2-encrypt-algorithm aes128

    ike-phase2-lifetime 60

    ike-phase2-perfect-forward-secrecy modp1024

    mode interface

    partition LOCAL_ONLY

}

Then the following command should put traffic from your BIG-IP onto the tunnel matching the selector -

PING -I TUNNEL_VLAN 172.16.1.2