Need Help : Setting up IPSEC between two big-IPs

What was the fix on this? I'm having the same problem and still working with support on it.

Man this was a mission to get this working, to be honest it was very simple.... now that I have what 3 different IPSEC. I take it you have created Peer list, Traffic Selector List and IPsec Policy List? Have you also created forwarding VIPs? You should have two forwarding VIPs one for IN and other for Out. DO NOTE that when you are in Traffic Selector List do no specify any port just allow all ports you will control ports at VIP level Let me explain VIPs. Say your F5 A have internal IP with 192.168.0.0/20 and F5 B have 10.10.0.0/20, you create one VIP where the source is 192.168.0.0/20 and dest is 10.10.0.0/20 and you crated another VIP where source is 10.10.0.0/20 and dest is 1192.168.0.0/20, all these VIPS will be forwarding VIPs. Allow *All Ports. and *All Protocols. (for testing of course) once you have all these in place I could suggest you try to ping from site a to site b and at the same time go to your site a F5 and run the following command tcpdump -nni 0.0 host and icmp - this will tell you what VIP it is using. Let me know how to go with this.

I finally got the tunnel to come up, but the traffic is still trying to route out to the internet instead of over the IPSec tunnel. Any other ideas?

Ya, I had that issue too lol, ok you should check the default gateaway for internet in F5 and check your peer IP that you using to setup the IPSEC are they the same. Also go to your internal server and check what IP address you get when you go to www.whatismyip.com see what you get. Do they all match? I think your default gateaway is different then what the server is have for its internet.

I got things to ping when I remove my SNAT rule for the servers. The F5 is our default gateway for all the servers. When the SNAT rule for internet access is enable the traffic attempts to route to the internet instead of being protected. When I remove the SNAT the VPN tunnel works, but of course the internet dies. I'm thinking I may have to do an Irule. I'll keep you posted.

Hi Scottie, Looking like you are doing exactly the same setting as I have done with our F5. Here if what you can do You can create Forwarding VIPs for IPSEC traffics only and created another VIP for your internet with SNAT. So at the end of the day you should have 3 VIP with respective names. Hope this help.

The 3rd VIP should be with S 0.0.0.0/0 and DES : 0.0.0.0/0 with SNAT

can you explain this whole virtual server part a little more? in the documentation they only mention one virtual server, why is there need for more and how exactly are these used?

Hi There, You have to realize that with F5 you need to create a listener which mean you will need to create VIP. And you will need to have two of them as from your end and other coming from other end. VIP work as a listener, you can also restrict port you want to allow and so forth. Hope this explains.