Forum Discussion

Nimbostratus

May 05, 2018

IPSEC between F5 and third party device

Hi All,

I am trying to configure IPSEC between F5 and another 3rd party device. Wondering if i can use interface mode for the same. Running on 11.6.2.0 HF1. As per article https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-11-6-0/7.html tunnel mode needs to be used when setting up IPSEC between F5 and 3rd party device. Is any other way around ?

Tikka_Nagi_1315
Historic F5 Account
May 15, 2018
https://www.youtube.com/watch?v=NfVdC9cOjQ0
boneyard
MVP
May 20, 2018
Not a huge fan of that video series (and of F5 BIG-IP VPN documentation in general), there some errors, weird IP changes and other confusing parts.

I created a interface mode based VPN with a FortiGate as test which worked out fine. I should try with a tunnel based one as in principe the IPSEC part is the same, it is the way how you send traffic to the VPN which is different.
zeiss_63263
Historic F5 Account
Jun 01, 2018
Whether you use "interface" or "tunnel" mode doesn't actually matter for the purpose of interop. The remote peer cannot tell what mode the BIG-IP is in. The policy's tunnel mode is a logical construction in the BIG-IP config. The BIG-IP does exactly the same IPsec negotiation regardless of the mode.

The "interface" mode option was introduced to allow administrators the ability to attach tunnel interfaces to routes. There are also features that allow interface mode to extend to a more of a dynamic routing model; that's for advanced scenarios though and we recommend it for cloud scenarios.

The "interface" mode is fiddly to configure so I recommend "tunnel" mode for most users.