For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Nov 24, 2013

IPSec with BIG-IP as end point questions

it is good F5 decided to support this a while ago, but the documentation could be a little better. now it is some general remarks and then one example.   my main question is about the "forwarding ...
BIG-IP
BIG-IP Access Policy Manager (APM)
design
ipsec
security
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Nov 25, 2013

Hey Boneyard. I've no experience with this but I can say with certainty that it will work with other VLANs and names at least.

 

I've had a quick look through the guide. From what I can tell you cannot use the management IP address and it must be a self IP address.

 

I think you could configure the Forwarding VS as something other than : but you'd need to do this carefully. Perhaps just use the remote network subnet for instance. Obviously it's the Traffic Selector that defines what actually passes through the tunnel.

 

Cluster wise, I can't test in any way but if the IPsec configuration syncs between devices and you can use a floating self IP then you've some level of redundancy but I'd assume the tunnels would be deleted and recreated on a failover.