Forum Discussion

mvukusic's avatar
mvukusic
Icon for Altocumulus rankAltocumulus
May 14, 2014

IPsec between F5 virtual server and its pool member

Hello,   Is it possible to build IPsec tunnel between F5 LTM virtual server and its pool member? Pool member would be Windows 2008 server. So far I have only found the instructions how to configur...
application delivery
design
LTM
microsoft
security
TMOS
mvukusic's avatar
mvukusic
Icon for Altocumulus rankAltocumulus
May 21, 2014

Hi,

 

after playing around with various scenarios I was able to get BIG-IP to send ISAKMP packets towards Windows 2008 server, but I don't receive any response from it. For now let's just use Forwarding VS and not standard VS.

 

Here is my BIG-IP configuration:

 

ltm virtual /Common/Forwarding-VS-ipsec-test { destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled }

 

net ipsec ike-peer /Common/test-win2008 { phase1-auth-method pre-shared-key preshared-key-encrypted $M$8L$gsMOhDjrMM/zNlnQ== remote-address 192.168.85.112 verify-cert true }

 

net ipsec ipsec-policy /Common/test-ipsec-policy { ike-phase2-auth-algorithm sha1 ike-phase2-encrypt-algorithm 3des ike-phase2-lifetime 480 mode tunnel tunnel-local-address 192.168.85.171 tunnel-remote-address 192.168.85.112 }

 

net ipsec traffic-selector /Common/test-ipsec-traffic-selector { destination-address 192.168.85.112/32 ipsec-policy /Common/test-ipsec-policy source-address 0.0.0.0/0 }

 

And here are the setting of IP Security Policy on Windows 2008: IP Filter = Any to Any IP address and port Filter Action = Negotiate Security >> Methods: 3DES/SHA1 Authentication methods = Preshared key (same key as on BIG-IP) Tunnel endpoint = 192.168.85.171 Connection type = All network connections Assigned = Yes Windows Firewall is OFF, IKE and IPsec services are Started.

 

Here is what I see on BIG-IP (and I see similar on Win2008 server): admin@(BIG-IP)(cfg-sync Standalone)(Active)(/Common)(tmos) tcpdump -i 0.0 udp and port 500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 15:11:07.735241 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:09.555138 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:19.568163 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:29.580814 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:39.593264 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident