Forum Discussion

zeiss_63263's avatar
zeiss_63263
Historic F5 Account

I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.

 

It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.

 

In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.

 

Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.

 

a_basharat's avatar
a_basharat
Icon for Nimbostratus rankNimbostratus
Jul 19, 2018

I am absolutely agree with the security concerns of using a Wildcard VS and listening on all ports, but it is F5 who published it officially in their deployment guide: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-13-1-0/10.htmlguid-4a5c2cee-039b-489f-9d78-3e0708491c67

 

Is there any light guide of how to do it with specific VSs, listening on specific IP Addresses, what port or range of ports will be needed? where to configure those VSs [frontend, backend]?