Forum Discussion
NimbostratusLTM 13.0 Unable to create IPSec with traffic domain other than 0
Two F5 LTM VE systems. upgraded to 13.0
The goal is to create IPSec Tunnel when traffic selector is at non-0 Route Domain. IPsec tunnel works(ed) with only route domain 0.
There are: 1. Two interfaces - Untagged, External with Public Self IP and tagged Internal with RFC 1918 Self-IP IP address 2. VLAN on on tagged interface (just one for testing) on both systems created on tagged interface 3. Route domain 0 is associated with Public Self IP/external interface 4. Route domain 1 is associated with Private Self IP/VLAN
It is possible to ping both public IP and private IP for each system in the corresponding networks.
When creating traffic selector end adding %1 (route domain ID) at the end of Source IP address following message is received:
01070734:3: Configuration error: Source address and destination address cannot be in different route domain
When adding %1 both to source and destination IP addresses at the traffic selector, different message is received
01070734:3: Configuration error: Traffic selector (/Common/ZRHPAL_SEL) and IPsec policy (/Common/ZRHPAL_TUN) cannot be in different route domain
We are stuck here. Please help.
It worked without route domains, but we will need to use route domains and VLANs in the deployment.
Route-Domains + IKEv1 IPsec are now fully supported in 12.0.0. If your IPsec needs to cross route-domains, meaning that the external and internal VLANs in different route-domain, then IPsec "interface mode" is your best option. You create the IPsec and tunnel configuration in the /Common partition. Create the route-domains (and/or partitions) with internals VLANs and self IPs. Place the IPsec tunnel (interfaces) into the relevant route domain.
invisibleZeiss, I do appreciate your reply. I did open a ticket with F5, C2412087 and after more than a month and testing and checks it was told to me that different route domains will not work for our situation.
kkohegyi_165129Hi,
The “interface” mode IPSec is working between route-domains.
But only one traffic-selector can be associated to IPSec channel so it is unusable if you want to use more encrypted subnets.
- boneyard
MVP
thanks for the extra info.
But only one traffic-selector can be associated to IPsec channel
True.
so it is unusable if you want to use more encrypted subnets.
Not quite true.
Interface mode has an additional hidden option whereby you can tell your BIG-IP to ignore the selector and obey the routing table. This means that you can bring up a tunnel using any old traffic-selector and then control the traffic that goes over the tunnel using dynamic or static routing.
For more information, please take a look at K31553030.
- kkohegyi_165129
Hi Zeiss,
It is a very interesting feature but
If I have many ipsec interface and only one traffic-selector can be associated for every interface how can i make sure the outgoing connections ?
Generally the IPSEC VPN is bidirectional from connection point of view. In other words any side may initate the connection.
I can not define the " all triggered traffic" with one traffic-selector if i have more remote subnets.
OR do the packets which are forwarded based on routing table bring up the corresponsive tunnel ???
Thanks in advance
