IPsec between F5 virtual server and its pool member

Hello,

sorry for not posting this earlier, after some pain, I was able to get this to work myself.

These two links have served as guides, but it is necessary to do some additional work to get things to work:

F5 configuration: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html

Windows configuration: http://www.caryglobal.com/miklos/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx

F5 configuration consists of 4 steps:

1. First configure the standard VS with two HTTP pool members (Forwarding VS is not required). No SNAT, members had BIG-IP as the default gateway.

    

2. Next configure IKE peers (go to Network > IPsec > IKE peers). The IKE peers are two pool members from VS configured in first step. They were left with default settings of Phase 1 algorithms (SHA-1, 3DES, MODP1024, 1440 rpm). Select Preshared key authentication. Leave the default Common settings.

    

3. Go to Network > IPsec > IPsec policy. Configure two IPsec policies, one for each IKE peer. Settings: Tunnel, SHA-1, 3DES, PFS = NONE, Lifetime = 1440 rpm, 0 KB

    

4. Go to Network > IPsec > Traffic Selector List. Configure two Traffic selectors, one for each IPsec policy. Settings: Source Network IP = 0.0.0.0 / 0, Destination IP = Host , Direction = Both, Action = Protect, IPsec Policy =

    

Windows configuration consists of two parts, the first is the configuration of the IP Security Policy, the second part is configuration of Windows Firewall. Windows firewall must be ON, while it was OFF the 2nd Phase was not working.

Configuration of IP Security Policy:

1. Run mmc.exe console, add the IP Security Policies (on Local Computer) snap-in and create a new policy.
2. Under General settings set to generate new key every 1440 min, do not choose the PFS and for the Methods select 3DES, SHA-1 and the corresponding DH group (or repeated for all DH groups, 3DES and SHA-1 are required).
3. Create a new Rule for the IPsec policy:
   • Authentication methods = preshared key,
   • Tunnel settings = IP address of the BIG-IP,
   • Connection type = All network connections
   • Filter action = Negotiate security, security method = Custom, Settings ESP = SHA1/3DES, generate new key every 86,400 seconds, leave everything else unchecked
   • IP filter = Source address = local address, Destination address = Any, select Mirrored (additional set protocol and port to test all the traffic going in IPsec)
   • Apply the settings, then right-click on the created policy and Assign

Configuration of Windows Firewall:

1. Run the Windows Firewall with Advanced Security.
2. Create a new Connection Security Rule. Settings: Server-to-server, endpoints = Any IP Address, Requirements = Require authentication for inbound and outbound connections, Authentication Method = preshared key (Advanced> Customize), Profile = Domain, Private and Public .
3. Edit created Connection Security Rule> go to the Advanced tab> IPsec tunneling> Customize = Mark Use Ipsec tunneling and specify the local and remote tunnel endpoint (local and BIG-IP).
4. Right click on the created Connection Security Rule and enable.

In the test traffic was correctly encrypted and balanced between two members. After configuration changes on Windows you need to go through enable/disable IP Security Policy and Connection Security Rule to make things work again.

I would be glad to know if somebody else successfully try this.