Forum Discussion
a_basharat_2591
Nimbostratus
NimbostratusIPSec on F5-Cisco
Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/pro...
I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.
It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.
In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.
Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.
a_basharatNimbostratus
NimbostratusOk, still a bit iffy for me. Let me ask you with other words:
- A packet from the Network hanging off the F5 to the Network hanging off the remote ASA is OUT?
- A packet from the Network hanging off the remote Cisco to the Network hanging off the F5 is IN?
Let me know please