Forum Discussion
a_basharat_2591
Nimbostratus
NimbostratusIPSec on F5-Cisco
Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/pro...
I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.
It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.
In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.
Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.
I think you understand correctly. IN literally means packets coming into the BIG-IP over the tunnel. In IP routing this should only be packets with a source IP of the ASA side and a destination IP of the BIG-IP side.