Forum Discussion
NimbostratusHow can I do a IPSEC VPN
In principle, the BIG-IP will interoperate with ASA devices running current ASA software and a current TMOS versions. It is frequently done in fact, but requires patience and sometimes assistance from F5 Support. IPsec is hard to wrap your head around.
Both IKEv1 and IKEv2 are supported when bringing up BIG-IP tunnels to an ASA, although you really do want to be running the latest version of 13.1. For an ASA interop, right now I'd recommend starting with IKEv1. Disclaimer: Most vendor specific Vendor IDs are not supported by the BIG-IP.
Unless you're configuring a BIG-IP in the Cloud (Azure/AWS/Google) then I recommend you configure your IPsec Policy (net ipsec ipsec-policy) to use "Tunnel" mode. Do not use "Interface" mode, it is more complex to configure and is useful only for very specific solutions. From the ASA's perspective it won't have a clue whether you've selected Interface or Tunnel mode and it is not part of the ISAKMP negotiation (tunnel setup).
Following a guide like this should be fine: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-5-0/17.html
It takes the assumption that you are configuring two BIG-IPs as peers, so just pretend that "BIG-IP B" is the ASA!
That manual chapter is missing one important point. If you don't have a default route, or you have multiple gateways, you need to configure a static route for (1) the next-hop to the remote peer's public IP and (2) the next-hop to the remote peer's private network. If I recall correctly, the ASA has a similar requirement. The next-hop IP for both route (1) and (2) will be the same IP. Yes, you read me right, tell the BIG-IP that the route to the private network is via your ISP next-hop.
Don't forget that if either side is behind a NAT, then enable NAT detection.
Ricardo_Raza_14Hi, I did the actions that you advise me but the vpn stablished in all of phases but I can't do aping between network connection, and I don't know how I need to encapsulated this traffic through vpn
I recommend that you do not try pinging from the BIG-IP, in case that's what you are trying. PING from a host that is inside the local private network to the remote private network. In other words, the PING must be between two hosts that have IPs covered by a traffic-selector (tmsh list net ipsec traffic-selector).
If you are pinging between two real hosts, then make sure that you have a Virtual Server that allows ICMP. If you have a wildcard (0.0.0.0:*) Virtual Server, then that will handle the traffic. There must be some Virtual Server that handles the private traffic, just like any other traffic. The Virtual Server needs to listen on at least the internal VLAN so that connections to the remote can be established from the BIG-IP side. If such a Virtual Server doesn't listen on the external VLAN then new connections coming from the remote (over IPsec) cannot be established. Remember that a Virtual Server configured to listen for a specific destination might not match both directions of a traffic-selector. Therefore you might find that you can only establish connections from the BIG-IP side but not establish connections from the remote side.
Note: The Virtual Server does not handle IPsec or ISAKMP, only the private traffic.
A few troubleshooting ideas:
- Check that your Virtual Server(s) match the private traffic.
- Double check that you have at least a default gateway, per what I wrote earlier.
- You can tcpdump traffic on the BIG-IP of course, to see whether the inbound (PING) traffic is matching your selectors and look for ESP packets.
- Use "tmsh show net ipsec traffic-selector" to see whether there are any packet counters on the traffic-selectors either IN or OUT.
- In "tmsh show net ipsec ipsec-sa" you should see the SAs as being "mature" and not "larval" for example.
- Ricardo_Raza_14
Hi really is not clear for me when I execute the command "tmsh show net ipsec ipsec-sa" show me the SAs as being "mature", but is not clear the part os the VS, i have to do a special VS for the tunnel?
In the private side behind F5 I have the net 10.111.0.0/24 and in the other side behind a firewal I have a 10.0.8.0/24, and I have only have vs for forwarding the traffic.
About the ping when I try to do not stablish the tunnel because the tracert show me steps betwween internet and public IPs and not show me only the IPs of tunnel.
Use:
tmsh show net ipsec ipsec-sa all-properties
Here is an example Virtual Server configuration, to control very specifically the inbound and outbound private traffic.
create ltm virtual ipsec-inbound { destination 10.111.0.0:any ip-forward mask 255.255.255.0 source 10.0.8.0/24 profiles add { fastL4 { } } vlans add { external_vlan } vlans-enabled }
create ltm virtual ipsec-outbound { destination 10.0.8.0:any ip-forward mask 255.255.255.0 source 10.111.0.0/24 profiles add { fastL4 { } } vlans add { internal_vlan } vlans-enabled }
The first Virtual Server catches packets that arrive via the tunnel from the remote trying to establish new sessions. The second Virtual Server catches packets generated by your local private network trying to establish new sessions to the remote private network.
I do not know whether you have problems establishing a tunnel or starting the tunnel. The first thing you need to work out is whether you are establishing "mature" tunnels in and out. If your IPsec tunnel establishment is failing, the problem is not related to the Virtual Servers. If the tunnel is not even attempting to start (no ISAKMP packets at all) then the problem could be related to the Virtual Server matching.
- Ricardo_Raza_14
Hi Thanks for your answer I have a doubt to this part.
"That manual chapter is missing one important point. If you don't have a default route, or you have multiple gateways, you need to configure a static route for (1) the next-hop to the remote peer's public IP and (2) the next-hop to the remote peer's private network. If I recall correctly, the ASA has a similar requirement. The next-hop IP for both route (1) and (2) will be the same IP. Yes, you read me right, tell the BIG-IP that the route to the private network is via your ISP next-hop."
my net is like this
Computer:10.111.6.55 FW:10.111.6.1 Self interna: 172.16.11.1 SelfIP ext: A.A.A.A GW Self IP: A.A.A.B
RFW: B.B.B.B Private Net Remote: 10.108.8.0
I have stablished the ipsec vpn between A.A.A.A and 10.108.8.0 i have the traffic selector from 10.111.0.0/19 and remote 10.108.8.0/24
But the traffic dont work, and the state in the vpn show me in mature.
I have router to the public and internal like this destination 10.108.8.0 netmask 255.255.255.0 gw A.A.A.B
Is correct or the GW have to be the IP public of the remote address?
Hi Ricardo,
I've removed the reference to your external IPs for privacy protection. Now we have this:
SelfIP ext: A.A.A.A GW Self IP: A.A.A.B RFW: B.B.B.B
destination 10.108.8.0 netmask 255.255.255.0 gw A.A.A.B
Yes, a route like this is correct for your needs. But if you have a default (0.0.0.0/0) route already via A.A.A.B then a specific route to 10.108.8.0/24 is unnecessary.
Is correct or the GW have to be the IP public of the remote address?
Not the remote peer address (B.B.B.B). The remote address cannot be a next-hop/gateway unless it is layer-2 reachable (meaning, on the same subnet). Your current route sounds fine to me.
But the traffic dont work, and the state in the vpn show me in mature.
In this case, I would tcpdump for ESP traffic to verify that the BIG-IP is sending ESP and if it is, check whether you are getting ESP packets back from the peer:
tcpdump -nni 0.0 proto 50 or udp port 4500 or udp port 500
protocol 50 = ESP
udp port 4500 = If NAT detected, ESP and some ISAKMP packets will be encapsulated in UDP port 4500
port 500 = ISAKMP traffic (tunnel negotiation)
- Ricardo_Raza_14
Like I show in the picture the vpn is stablished, but traffic don't work, what else do you think i forgeting
