VPN DTLS

Question

Hi DevCentral,&nbsp;I read that the performance when we use VPN (edge Client) can be improve if the DTLS is activated. Currently, we use only VPN through HTTPS. If I activate DTLS on the VPN profile and after creating a virtual server, how I can check if the tunnel is established with DTLS protocol ?&nbsp;And currently, our F5 is behind a firewall. I have a rule to allow HTTPS from Internet to the public IP of our F5. I need to had a rule to allow UDP_4433 also between Internet and the F5 ?&nbsp;BR

simon_blakely · Answer

In the EdgeClient   Details &gt;&gt; Connection Details shows whether DTLS is being used.&nbsp;It is also recorded in the APM logs.&nbsp;&gt; I need to had a rule to allow UDP_4433 also between Internet and the F5 ?&nbsp;Yes.

jerome_carrier · Answer

Hello,​Thank you for your answer. When the dtls will be activated on the profile and the VS created, is it mandatory to create a new Edge install package and deploy it on the users laptops or the existing client already deployed on user computer will detect automatically the new configuration and based the communication with dtls protocol?​BR

simon_blakely · Answer

The client picks up the connection information when it connects, so you don't need to update the install package.&nbsp;Make sure your client-ssl profile supports DTLSv1, as well.&nbsp;K54955814:&nbsp;&nbsp;How to create a DTLS Virtual Server for Network Access VPN

jerome_carrier · Answer

&nbsp;we have this configuration about the client-ssl profile.. is-it correct ?

simon_blakely · Answer

Looks good to me:# tmm --clientciphers '!SSLv3:!DHE:ECDHE:RSA+HIGH:!3DES'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
 4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
 5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
 7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
 8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
 9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA
10: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
11:   157  AES256-GCM-SHA384                256  TLS1.2  AES-GCM             SHA384  RSA
12:    53  AES256-SHA                       256  TLS1   AES                 SHA     RSA
13:    53  AES256-SHA                       256  TLS1.1  AES                 SHA     RSA
14:    53  AES256-SHA                       256  TLS1.2  AES                 SHA     RSA
15:    53  AES256-SHA                       256  DTLS1  AES                 SHA     RSA
16:    61  AES256-SHA256                    256  TLS1.2  AES                 SHA256  RSA
17:   132  CAMELLIA256-SHA                  256  TLS1   CAMELLIA            SHA     RSA
18:   132  CAMELLIA256-SHA                  256  TLS1.1  CAMELLIA            SHA     RSA
19:   132  CAMELLIA256-SHA                  256  TLS1.2  CAMELLIA            SHA     RSAshows a DTLSv1 cipher.

Forum Discussion

VPN DTLS

5 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

APM DTLS Virtual Server iApp

Salesloft Drift, VPNs and Roundup

DTLS Echo iRule

SSL VPN Split Tunneling and Office 365

Example of F5 VPN Automation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS