Forum Discussion
Nimbostratusipsec tunnel & route domains
I got a large number of route domains, each containing 1 specific, private class-C subnet in 1 VLan each. The all have the same parent RD "0" which is the only network reachable from a remote location and therefore also contains the IPsec tunnel endpoint
(RD_122 / VLan_122 / 10.1.22.0/24) -> \
(RD_123 / VLan_123 / 10.1.23.0/24) -> > (RD_0 / VLAN_10 / {official address}/24)
(RD_124 / VLan_124 / 10.1.24.0/24) -> /
The remote location has an identical setup, with different address ranges, VLan and RD numbers I now need to create an IPsec tunnel between 2 VLans, one per location.
Having both VLans in RD=0, all works fine. Putting the VLans into their corrsponding RDs, capturing traffic with a regular "traffic selector" and the VirtualServer listening in the correct RD (0.0.0.0%123/24) works as far as creating the tunnel and sending traffic through, but ends at the remote F5 in RD=0 ...
-> how can I direct the packets exiting the IPsec tunnel into a specific Route Domain ?
Any hints highly appreciated. BR, p
3 Replies
Kevin_Davies_40Nacreous
Not sure this is possible as route domains are a local to the BIGIP. Once traffic leaves the device it can only use standard IP addressing. Have you tried adding a route x.x.x.x%0/24 -> x.x.x.x%123. Does the IPSEC tunnel feature you are using support routing domains and if so maybe you can create a tunnel for each?
- Peter_Aeschlima
Just got word from F5 that IPsec is currently only supported for RD=0.
Thanks Kevin, but routing "back down" to my RDs from RD=0 would make them accessible from there, something I prevented by using RDs in the 1st place.
So I'll need to think of a workaround or maybe drop the Route Domains entirely. I'll update when found a solution.
BR, p
Route-Domains + IKEv1 IPsec are now fully supported in 12.0.0. If your IPsec need to cross route-domains, meaning that the external and internal VLANs in different route-domain, then IPsec "interface mode" is your best option.
