Forum Discussion
Bill_Chipman_10
Nimbostratus
NimbostratusDoes anyone have 11.6 LTM doing IPsec with 3rd party device
We are trying to create ipSec tunnel with 3 traffic selectors on one IKE peer. The tunnel will come up, however we aren't able to get any traffic flowing over the link. Traceroute shows that the conn...
my experience with big ip for ipsec, it doesn't work properly i tried a lot with link controller to terminate and to by pass ipsec traffic nothing works, many technical cases with no progress
Bill_Chipman_10Nimbostratus
NimbostratusSo after yeoman work by Damon at F5, we got all of the issues resolved. First, follow the instructions to get the connection working, sort of. Once we had the tunnel set up between the systems (getting the parameters right helps), we still ran into problems with TCP connections initiated from the F5 end. Now comes the weird part. We created a route to the remote network inside the tunnel and pointed it to the gateway for the network that contains the F5 endpoint. Once this route was added to the mix, all of the TCP and other connections worked. So the missing instruction is to be sure you add a route to the target remote networks to the F5 using the endpoint gateway as the next hop. This is basically the way that Cisco used to work where you put the IPsec association on the endpoint interface.
shaggywow, good work. by "endpoint gateway", do you mean the remote (non-F5 side) end's IP address?- Bill_Chipman_10No, I mean the next hop from the network that contains the F5 IPsec gateway address. In my case, this is one of the routers in my internet gateway pool. Seems the vlan identity protection code in F5 gets confused when the packet enters the tunnel before actually being routed out the endpoint network. Putting in the route cleared up this confusion.
- Bill_Chipman_10Also works to create a forwarding layer 4 virtual server with the pool that contains the next hop address in the network with the VPN head-end. This works better, since the route is a global setting.