Forum Discussion
Bill_Chipman_10
Nimbostratus
NimbostratusDoes anyone have 11.6 LTM doing IPsec with 3rd party device
We are trying to create ipSec tunnel with 3 traffic selectors on one IKE peer. The tunnel will come up, however we aren't able to get any traffic flowing over the link. Traceroute shows that the connection is trying to go over the default route, rather than into the tunnel. F5 shows that the tunnel is active and receiving packets - just not sending any. We are using a secondary floating self-ip on the external network. 10.0.0.0/8 route to internal network. Remote network is 10.0.5.0/24.
my experience with big ip for ipsec, it doesn't work properly i tried a lot with link controller to terminate and to by pass ipsec traffic nothing works, many technical cases with no progress
Mahmoud_Eldeeb_Cirrostratus
Configuring IPsec for Tunnel Mode and Dynamic Security Negotiation link text
- Mahmoud_Eldeeb_
Configuring IPsec between a BIG-IP System and a Third-Party Devicelink text
bcZeomega_16087So I followed these instructions to set up my tunnels. Two different F5 engineers have looked at it and say it should work. Tunnels come up, but no traffic flows. Do you have to create a special virtual server for the target ip range? bc
- bcZeomega_16087
So I wasn't asking for instructions, just if anyone has actually gotten an IPsec tunnel to work with another site.
- Mahmoud_Eldeeb_
my experience with big ip for ipsec, it doesn't work properly i tried a lot with link controller to terminate and to by pass ipsec traffic nothing works, many technical cases with no progress
Bill_Chipman_10thanks, That is what I expected. There aren't any other questions about ipsec for the past three months. I suspect everyone else has given up on this as well. Sigh. Used to work, I guess it broke in version 11.- Mahmoud_Eldeeb_Don't forget to mark the answer as the solution if you would, please.
- Bill_Chipman_10I'll leave it out there for a day or so in case someone has gotten this to work.
- Bill_Chipman_10
So after yeoman work by Damon at F5, we got all of the issues resolved. First, follow the instructions to get the connection working, sort of. Once we had the tunnel set up between the systems (getting the parameters right helps), we still ran into problems with TCP connections initiated from the F5 end. Now comes the weird part. We created a route to the remote network inside the tunnel and pointed it to the gateway for the network that contains the F5 endpoint. Once this route was added to the mix, all of the TCP and other connections worked. So the missing instruction is to be sure you add a route to the target remote networks to the F5 using the endpoint gateway as the next hop. This is basically the way that Cisco used to work where you put the IPsec association on the endpoint interface.
shaggywow, good work. by "endpoint gateway", do you mean the remote (non-F5 side) end's IP address?- Bill_Chipman_10No, I mean the next hop from the network that contains the F5 IPsec gateway address. In my case, this is one of the routers in my internet gateway pool. Seems the vlan identity protection code in F5 gets confused when the packet enters the tunnel before actually being routed out the endpoint network. Putting in the route cleared up this confusion.
- Bill_Chipman_10Also works to create a forwarding layer 4 virtual server with the pool that contains the next hop address in the network with the VPN head-end. This works better, since the route is a global setting.
Diego_LozadaHi,
I am also trying to establish an IPSec against Amazon AWS following the https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html but for some reason no traffic flowtriggers the Traffic Selector to establish the Tunnel. Has anyone gotten IPsec tunnel to work?
All input is welcome.
Thanks
Diego
- Bill_Chipman_10
Sort of works. Be sure to create a route in Networks/Route to the target network and have a forwarding IP that can send the traffic down into Linux-Land to hop in the tunnel. bc
- Diego_Lozada
Bill, according to what you said in the comments from 1 month ago and the latest one, I should add a static route to the specific remote network using as a gateway one of the router of the default gateway pool. But if the traffic is going to te default route anyway, why adding an static route will fix the issue and will force the traffic into the tunnel?. This isn´t clear to me yet.
Thanks
- Bill_Chipman_10
So after many tries, I installed a surplus ASA 5510 and moved all of my IPsec tunnels over to it. Works like a champ, once you get it working. The F5 solution is just not reliable or repeatable for production use.