VPN DTLS

Question

Hi DevCentral,&nbsp;I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?&nbsp;And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?&nbsp;BR

simon_blakely · Answer

In the EdgeClient   Details &gt;&gt; Connection Details shows whether DTLS is being used.&nbsp;It is also recorded in the APM logs.&nbsp;&gt; I need to had a rule to allow UDP_4433 also between Internet and the F5 ?&nbsp;Yes.

jerome_carrier · Answer

Hello,​Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?​BR

simon_blakely · Answer

The client picks up the connection information when it connects, so you don't need to update the install package.

Make sure your client-ssl profile supports DTLSv1, as well.

K54955814: How to create a DTLS Virtual Server for Network Access VPN

jerome_carrier · Answer

&nbsp;we have this configuration about the client-ssl profile.. is-it correct ?

simon_blakely · Answer

Looks good to me:# tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
 4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
 5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
 8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
 9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA
10: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
11:   157  AES256-GCM-SHA384                256  TLS1.2  AES-GCM             SHA384  RSA
12:    53  AES256-SHA                       256  TLS1   AES                 SHA     RSA
13:    53  AES256-SHA                       256  TLS1.1  AES                 SHA     RSA
14:    53  AES256-SHA                       256  TLS1.2  AES                 SHA     RSA
15:    53  AES256-SHA                       256  DTLS1  AES                 SHA     RSA
16:    61  AES256-SHA256                    256  TLS1.2  AES                 SHA256  RSA
17:   132  CAMELLIA256-SHA                  256  TLS1   CAMELLIA            SHA     RSA
18:   132  CAMELLIA256-SHA                  256  TLS1.1  CAMELLIA            SHA     RSA
19:   132  CAMELLIA256-SHA                  256  TLS1.2  CAMELLIA            SHA     RSAshows a DTLSv1 cipher.

Forum Discussion

VPN DTLS

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

APM DTLS Virtual Server iApp

DTLS Echo iRule

SSL VPN Split Tunneling and Office 365

Example of F5 VPN Automation

Deploying a VPN on the BIG-IP APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS