F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Daniel_Kopfenst's avatar
Daniel_Kopfenst
Icon for Nimbostratus rankNimbostratus
Sep 26, 2012

F5 3900 LTM and outbound ipsec problem

Hi all,

 

I have some troubles with the configuration of IPSEC tunnels with our BigIP 3900 LTM (v11 HF2).

 

Setup:

 

Lan1 <-> Firewall <-> Internet <-> F5 LTM 3900 <-> internal Lan <-> Firewall <-> LAN2

 

I managed to connect two different Firewalls with the BigIP and the tunnel is working fine when the the traffic is initiated from Lan1. When I try to initiate an connection from Lan2 to Lan1 the BigIP doesn't establish an IPsec tunnel.

 

The IPsec - Traffic Selector configuration should be fine, but it seems that it's not routing the traffic through the IPsec tunnel.

 

Source IP Address: LAN2

 

Destination IP Address: LAN1

 

All Ports and Protocols enabled

 

Direction: Both

 

Action: Protect

 

No Nat on Firewall

 

Any idea?

 

Thx,

 

Daniel

 

config
design

7 Replies

  • Cholito_15468's avatar
    Cholito_15468
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2012
    HI dankopfe you have two virtual server.

     

     

    1 VS (PublicIP) port 0 Performance L4 VLAN interna

     

    2 VS (PublicIP) port 500 Performance L4 VLAN interna

     

     

  • Daniel_Kopfenst's avatar
    Daniel_Kopfenst
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2012
    Hi Cholito,

     

     

    have just 1 VS (Forwarding IP - fastL4) listening on all ports and protocols and also vlans (internal and external should be enough, but I will harden it afterwards, once I managed to get outgoing IPsec working.

     

     

    Basically I followed that howto:

     

     

    Manual Chapter:Configuring IPsec between a BIG-IP System and a Third-Party Device

     

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html?sr=24146242
  • Techgeeeg's avatar
    Techgeeeg
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2012
    Hi,

     

    So did u managed to make it work or still facing problem... ???
  • marco_octavian_'s avatar
    marco_octavian_
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2014

    I have a similar config working. Outbound is fine, actually two-way communication is just fine. As stated in my other post, 11.4 gave me issues but 11.5.1 is fine.

     

    I actually have my LTM behind a Cisco router 2821 performing nat out of my home lab connecting via IPsec to my work office. local_lan LTM <-> 2821 (internet) 2901 <-> local_lan

     

    The local_lan is also where my pool members reside. I just used a Laptop with static routes to test but it is working fine.

     

    Does phase 2 look good on both ends? Check the acl/rulebase/policy on the firewall? What kind of firewall is it?

     

  • A_Shack_161373's avatar
    A_Shack_161373
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2015
    Has anyone managed to get this working? I am having the same issue (ipsec pass-through)