For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

invisible's avatar
invisible
Icon for Nimbostratus rankNimbostratus
Apr 18, 2017

LTM 13.0 Unable to create IPSec with traffic domain other than 0

Two F5 LTM VE systems. upgraded to 13.0   The goal is to create IPSec Tunnel when traffic selector is at non-0 Route Domain. IPsec tunnel works(ed) with only route domain 0.   There are: 1. Tw...
application delivery
BIG-IP
big-ip ltm
ipsec
LTM
security
kkohegyi_165129's avatar
kkohegyi_165129
Icon for Nimbostratus rankNimbostratus
Dec 22, 2017

Hi,

 

The “interface” mode IPSec is working between route-domains.

 

But only one traffic-selector can be associated to IPSec channel so it is unusable if you want to use more encrypted subnets.

 

zeiss_63263's avatar
zeiss_63263
Historic F5 Account
Dec 24, 2017

But only one traffic-selector can be associated to IPsec channel

 

True.

 

so it is unusable if you want to use more encrypted subnets.

 

Not quite true.

 

Interface mode has an additional hidden option whereby you can tell your BIG-IP to ignore the selector and obey the routing table. This means that you can bring up a tunnel using any old traffic-selector and then control the traffic that goes over the tunnel using dynamic or static routing.

 

For more information, please take a look at K31553030.