Forum Discussion
AltostratusCheckpoint IPSec Error
Hello friends,
I just deployed F5 to load balance incoming IPSec traffic which belongs to a tunnel between two Checkpoint devices.
By issuing a capture in the virtual server of the F5, I got this:
12:18:33.214921 IP 100.xxx.xxx.tempest-port > 245.x.x.x.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] out slot1/tmm7 lis= flowtype=129 flowid=5585D433C000 peerid=YYYYYYYYYYY conflags=224 inslot=63 inport=55 haunit=1 peerremote=AAAAAAAAAAAA peerlocal=ZZZZZZZZZZZZZZZZ remoteport=4500 localport=4500 proto=17 vlan=4094
Any suggestion to solve this?
Thanks in advance.
LP
7 Replies
IPSec traffic doesn't play well with load balancing, or address translation of any kind. I don't think this is a wise approach.
In any case, if you are not load balancing, but merely using the BIGIP as a NAT device in-between, then you should be able to configure NAT traversal for your IPSec tunnel. YOu will need to read the documentation of the communicating peers to find out how to do that. Then you will need to open the necessary ports on the BIGIP.
- The tcpdump snippet you have shared is not sufficient to make any deductions as to what is happening.
LuisPuma_134788Hello aFanen01,
You are right.
Even though I have an LTM/GTM load balancer and three links, I just configured one virtual server (Public IP) to handle the VPN IPsec Traffic. I just need to NAT the incoming and outgoing traffic. I will follow your advice. I will appreciate if you can give any other suggestion after reading this. Thanks a lot.
Regards
LP
- LuisPuma_134788
Hello,
I followed up this article http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html?sr=34381625 even though it says hat F5 is a peer vpn. The specifications of the VPN are: IKE - PHASE 1 Encryption Scheme:IKE Diffie-Hellman Group:DH 2 (1024 bits) Encryption Algorithm:AES-256 Hashing Algorithm (Data Integrity):SHA1 Main or Aggressive Mode: MAIN Lifetime (for renegotiation) in minutes:480
IPSEC - PHASE 2 Encapsulation (ESP or AH):ESP Data Encryption Algorithm:AES-256 Authentication Algorithm (Data Integrity):SHA1 Perfect Forward Secrecy DH Group:Disabled Lifetime (for renegotiation) in seconds:3600 Lifesize in KB (for renegotiation):Does not apply Key Exchange For Subnets?: YES
Would I need to configure something in the IPSEC tab under Network option?
Thanks in advance
LP
- Are you configuring IPSec between the F5 and another device, or is the F5 just a NAT device inbetween the actual IPSec peers?
- LuisPuma_134788
Just issued a capture. It shows that the F5 is always changing the port to 14270 value. xxx.xxx.xxx.xxx is te client IP and the yyy.yyy.yyy.yyy is the virtual server configured in the F5.
[root@ns2:Active:Changes Pending] config tcpdump -n -i 0.0:nnn host xxx.xxx.xxx.xxx tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 96 bytes 16:45:34.278919 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I] 16:45:34.278935 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: parent_sa ikev2_init[I] 16:45:34.367242 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa ikev2_init[] 16:45:34.626446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:39.553492 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:40.576115 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:41.592765 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:42.571266 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:42.571282 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident 16:45:42.663164 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf 16:45:44.571349 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:44.571366 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident 16:45:44.643419 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: parent_sa inf2 16:45:44.671446 IP xxx.xxx.xxx.xxx.isakmp > yyy.yyy.yyy.yyy.14270: isakmp: phase 2/others R inf 16:45:46.571440 IP 10.1.1.20.isakmp > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 I ident 16:45:46.571456 IP yyy.yyy.yyy.yyy.14270 > xxx.xxx.xxx.xxx.isakmp: isakmp: phase 1 ? ident- F5 Changes source port by default (ports are used for load-balancing traffic processing jobs internally). It should be possible to modify that behaviour by looking at the "Source Port Preserve" settings on the Virtual Server. However, I can't recall if ISAKMP is sensitive to source ports, so I'm not sure if that even matters. Note also that if you change the source-port preserve setting from default, you may also need to demote CMP for that VIP in order to avoid "packet loss". By demoting CMP, only CPU0/TMM0 will handle the traffic for that VIP, which is what you want when you disable source port translation. If you are concerned about the privacy of your IP addresses, you should create a support case.
