Forum Discussion

Nimbostratus

Apr 18, 2017

LTM 13.0 Unable to create IPSec with traffic domain other than 0

Two F5 LTM VE systems. upgraded to 13.0 The goal is to create IPSec Tunnel when traffic selector is at non-0 Route Domain. IPsec tunnel works(ed) with only route domain 0. There are: 1. Tw...

Nimbostratus

Dec 22, 2017

Hi,

The “interface” mode IPSec is working between route-domains.

But only one traffic-selector can be associated to IPSec channel so it is unusable if you want to use more encrypted subnets.

boneyard
MVP
Dec 23, 2017
thanks for the extra info.
zeiss_63263
Historic F5 Account
Dec 24, 2017
But only one traffic-selector can be associated to IPsec channel

True.

so it is unusable if you want to use more encrypted subnets.

Not quite true.

Interface mode has an additional hidden option whereby you can tell your BIG-IP to ignore the selector and obey the routing table. This means that you can bring up a tunnel using any old traffic-selector and then control the traffic that goes over the tunnel using dynamic or static routing.

For more information, please take a look at K31553030.
kkohegyi_165129
Nimbostratus
Jan 10, 2018
Hi Zeiss,

It is a very interesting feature but

If I have many ipsec interface and only one traffic-selector can be associated for every interface how can i make sure the outgoing connections ?

Generally the IPSEC VPN is bidirectional from connection point of view. In other words any side may initate the connection.

I can not define the " all triggered traffic" with one traffic-selector if i have more remote subnets.

OR do the packets which are forwarded based on routing table bring up the corresponsive tunnel ???

Thanks in advance