Forum Discussion
a_basharat_2591
Nimbostratus
NimbostratusIPSec on F5-Cisco
Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/pro...
I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.
It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.
In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.
Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.
a_basharatNimbostratus
NimbostratusOn "IPsec traffic selector", I have three local Networks like:
10.15.93.0/24, 10.15.60.0/24 and 10.15.87.0/24 on the "Source IP Address or CIDR" but just one on the "Destination IP Address or CIDR"
That means three traffic selectors or can I combine all the source IP Addresses in one line and one traffic selector?
The default value for Order setting is "Last" on the F5, but "First" on the F5 deployment guide, How to marry them up?