Quick Steps to setting up IPSec on BIG-IP via TMSH or iControl (Azure tested)
Problem this snippet solves:
This lists the TMSH and iControl REST steps required to license and build an IPSec tunnel on a BIG-IP.
How to use this snippet:
Launch a BIG-IP in the cloud and process each step individually in sequence.
Code :
So you've spun up a new instance in Azure or AWS and want to configure IPSec to tunnel back to a BIG-IP in your data center. Minimum configuration begin!
x.x.x.x = BIG-IP mgmt address
a.a.a.a = local IPSec peer public IP (may be self-IP, maybe NAT'd via ALB/etc)
b.b.b.b = local IPSec interface self-IP
m.m.m.m = remote IPSEC peer public IP
1. License the BIG-IP
TMSH:
install sys license registration-key [registration_key]
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/license -X POST -d '{"command":"install","registrationKey":"3FADS-VVMNM-NVMEI-HUGVS-TIFMQEE"}'
RESPONSE: {"kind":"tm:sys:license:installstate","command":"install","registrationKey":"3FADS-VVMNM-NVMEI-HUGVS-TIFMQEE","commandResult":"New license installed\n"}
2. Disable the BIG-IP GUI Setup Wizard
TMSH:
modify sys global-settings gui-setup disabled
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/global-settings -X PATCH -d '{"guiSetup":"disabled"}'
RESPONSE: {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":"https://localhost/mgmt/tm/sys/global-settings?ver=12.1.2","awsApiMaxConcurrency":1,"consoleInactivityTimeout":0,"customAddr":"none","failsafeAction":"go-offline-restart-tm","fileBlacklistPathPrefix":"{/shared/3dns/} {/shared/bin/} {/shared/core/} {/shared/datasync/} {/shared/em/} {/shared/GeoIP/} {/shared/images/} {/shared/lib/} {/shared/lib64/} {/shared/log/} {/shared/lost+found/} {/shared/mgmt/} {/shared/nfb/} {/shared/ssh/} {/shared/statsd/} {/shared/tmstat/} {/shared/vadc/} {/config/aaa/} {/config/big3d/} {/config/bigip/} {/config/filestore/} {/config/gtm/} {/config/httpd/} {/config/ntp.conf} {/config/rndc.key} {/config/ssh/} {/config/ssl/}","fileBlacklistReadOnlyPathPrefix":"{/etc/shadow}","fileLocalPathPrefix":"{/shared/} {/tmp/}","fileWhitelistPathPrefix":"{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/share/aws/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility.\n\nLog in with your username and password using the fields on the left.","guiSetup":"disabled","hostAddrMode":"management","hostname":"bigip.local","lcdDisplay":"enabled","ledLocator":"disabled","mgmtDhcp":"enabled","netReboot":"disabled","passwordPrompt":"Password","quietBoot":"enabled","usernamePrompt":"Username"}
3. Set the BIG-IP hostname
TMSH:
modify sys global-settings hostname [hostname.fqdn]
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/global-settings -X PATCH -d '{"hostname":"myhostname.local"}'
RESPONSE: {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":"https://localhost/mgmt/tm/sys/global-settings?ver=12.1.2","awsApiMaxConcurrency":1,"consoleInactivityTimeout":0,"customAddr":"none","failsafeAction":"go-offline-restart-tm","fileBlacklistPathPrefix":"{/shared/3dns/} {/shared/bin/} {/shared/core/} {/shared/datasync/} {/shared/em/} {/shared/GeoIP/} {/shared/images/} {/shared/lib/} {/shared/lib64/} {/shared/log/} {/shared/lost+found/} {/shared/mgmt/} {/shared/nfb/} {/shared/ssh/} {/shared/statsd/} {/shared/tmstat/} {/shared/vadc/} {/config/aaa/} {/config/big3d/} {/config/bigip/} {/config/filestore/} {/config/gtm/} {/config/httpd/} {/config/ntp.conf} {/config/rndc.key} {/config/ssh/} {/config/ssl/}","fileBlacklistReadOnlyPathPrefix":"{/etc/shadow}","fileLocalPathPrefix":"{/shared/} {/tmp/}","fileWhitelistPathPrefix":"{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/share/aws/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility.\n\nLog in with your username and password using the fields on the left.","guiSetup":"enabled","hostAddrMode":"management","hostname":"myhostname.local","lcdDisplay":"enabled","ledLocator":"disabled","mgmtDhcp":"enabled","netReboot":"disabled","passwordPrompt":"Password","quietBoot":"enabled","usernamePrompt":"Username"}
4. Configure NTP servers
modify sys ntp timezone America/New_York servers add { 0.pool.ntp.org }
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/ntp -X PATCH -d '{"timezone":"America/New_York","servers":["0.pool.ntp.org"]}'
RESPONSE: {"kind":"tm:sys:ntp:ntpstate","selfLink":"https://localhost/mgmt/tm/sys/ntp?ver=12.1.2","servers":["0.pool.ntp.org"],"timezone":"America/New_York","restrictReference":{"link":"https://localhost/mgmt/tm/sys/ntp/restrict?ver=12.1.2","isSubcollection":true}}
5. Create the IPSec Policy
TMSH:
create net ipsec ipsec-policy peer-m.m.m.m ike-phase2-encrypt-algorithm aes-gcm128 ike-phase2-auth-algorithm aes-gcm128 ike-phase2-perfect-forward-secrecy none mode interface protocol esp
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/ipsec/ipsec-policy -X POST -d '{"name":"peer-m.m.m.m","ike-phase2-auth-algorithm":"aes-gcm128","ike-phase2-encrypt-algorithm":"aes-gcm128","ike-phase2-perfect-forward-secrecy":"none","mode":"interface"}'
RESPONSE: {"kind":"tm:net:ipsec:ipsec-policy:ipsec-policystate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":25,"selfLink":"https://localhost/mgmt/tm/net/ipsec/ipsec-policy/~Common~peer-m.m.m.m?ver=12.1.2","ikePhase2AuthAlgorithm":"aes-gcm128","ikePhase2EncryptAlgorithm":"aes-gcm128","ikePhase2Lifetime":1440,"ikePhase2LifetimeKilobytes":0,"ikePhase2PerfectForwardSecrecy":"none","ipcomp":"none","mode":"interface","protocol":"esp","tunnelLocalAddress":"any6","tunnelRemoteAddress":"any6"}
6. Create the IPSec Traffic Selector
TMSH:
create net ipsec traffic-selector peer-m.m.m.m source-address 0.0.0.0/0 destination-address 0.0.0.0/0 order 0 action protect direction both ip-protocol 255 ipsec-policy peer-m.m.m.m
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/ipsec/traffic-selector -X POST -d '{"name":"peer-m.m.m.m","action":"protect","destinationAddress":"0.0.0.0/0","destinationPort":0,"sourceAddress":"0.0.0.0/0","sourcePort":0,"order":0,"ipsecPolicy":"peer-m.m.m.m"}'
RESPONSE: {"kind":"tm:net:ipsec:traffic-selector:traffic-selectorstate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":26,"selfLink":"https://localhost/mgmt/tm/net/ipsec/traffic-selector/~Common~peer-m.m.m.m?ver=12.1.2","action":"protect","destinationAddress":"0.0.0.0/0","destinationPort":0,"direction":"both","ipProtocol":255,"ipsecPolicy":"/Common/peer-m.m.m.m","ipsecPolicyReference":{"link":"https://localhost/mgmt/tm/net/ipsec/ipsec-policy/~Common~peer-m.m.m.m?ver=12.1.2"},"order":0,"sourceAddress":"0.0.0.0/0","sourcePort":0}
7. Set the default IPSec traffic selector to higher order
TMSH:
modify net ipsec traffic-selector default-traffic-selector-interface order 100
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/ipsec/traffic-selector/default-traffic-selector-interface -X PATCH -d '{"order":100}'
{"kind":"tm:net:ipsec:traffic-selector:traffic-selectorstate","name":"default-traffic-selector-interface","fullPath":"default-traffic-selector-interface","generation":28,"selfLink":"https://localhost/mgmt/tm/net/ipsec/traffic-selector/default-traffic-selector-interface?ver=12.1.2","action":"protect","destinationAddress":"::/0","destinationPort":0,"direction":"both","ipProtocol":255,"ipsecPolicy":"/Common/default-ipsec-policy-interface","ipsecPolicyReference":{"link":"https://localhost/mgmt/tm/net/ipsec/ipsec-policy/~Common~default-ipsec-policy-interface?ver=12.1.2"},"order":100,"sourceAddress":"::/0","sourcePort":0}
8. Create IKE Peer
create net ipsec ike-peer peer-m.m.m.m my-id-type address my-id-value a.a.a.a peers-id-type address peers-id-value m.m.m.m phase1-auth-method pre-shared-key phase1-encrypt-algorithm aes256 phase1-hash-algorithm sha256 phase1-perfect-forward-secrecy modp1024 preshared-key mypresharedkey prf sha256 remote-address m.m.m.m version replace-all-with { v2 } mode main traffic-selector add { peer-m.m.m.m } nat-traversal on passive false generate-policy off
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/ipsec/ike-peer -X POST -d '{"name":"peer-m.m.m.m","myIdType":"address","myIdValue":"x.x.x.x","peersIdType":"address","peersIdValue":"m.m.m.m","phase1AuthMethod":"pre-shared-key","phase1EncryptAlgorithm":"aes256","phase1HashAlgorithm":"sha256","phase1PerfectForwardSecrecy":"modp1024","prf":"sha256","presharedKey":"myTunnel1234!","remoteAddress":"m.m.m.m","version":["v2"],"dpdDelay":30,"lifetime":1440,"mode":"main","natTraversal":"off","passive":"false","generatePolicy":"off","trafficSelector":["peer-m.m.m.m"]}'
RESPONSE: {"kind":"tm:net:ipsec:ike-peer:ike-peerstate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":33,"selfLink":"https://localhost/mgmt/tm/net/ipsec/ike-peer/~Common~peer-m.m.m.m?ver=12.1.2","dpdDelay":30,"generatePolicy":"off","lifetime":1440,"mode":"main","myIdType":"address","myIdValue":"x.x.x.x","natTraversal":"on","passive":"false","peersCertType":"none","peersIdType":"address","peersIdValue":"m.m.m.m","phase1AuthMethod":"pre-shared-key","phase1EncryptAlgorithm":"aes256","phase1HashAlgorithm":"sha256","phase1PerfectForwardSecrecy":"modp1024","presharedKeyEncrypted":"$M$kg$FeIo0kbjr9XJq+wsRXJFkQ==","prf":"sha256","proxySupport":"enabled","remoteAddress":"m.m.m.m","replayWindowSize":64,"state":"enabled","trafficSelector":["/Common/peer-m.m.m.m"],"trafficSelectorReference":[{"link":"https://localhost/mgmt/tm/net/ipsec/traffic-selector/~Common~peer-m.m.m.m?ver=12.1.2"}],"verifyCert":"false","version":["v2"]}
9. Create tunnel profile
TMSH:
create net tunnels ipsec peer-m.m.m.m traffic-selector peer-m.m.m.m defaults-from ipsec
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/tunnels/ipsec -X POST -d '{"name":"peer-m.m.m.m","trafficSelector":"peer-m.m.m.m"}'
RESPONSE: {"kind":"tm:net:tunnels:ipsec:ipsecstate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":34,"selfLink":"https://localhost/mgmt/tm/net/tunnels/ipsec/~Common~peer-m.m.m.m?ver=12.1.2","defaultsFrom":"/Common/ipsec","defaultsFromReference":{"link":"https://localhost/mgmt/tm/net/tunnels/ipsec/~Common~ipsec?ver=12.1.2"},"trafficSelector":"/Common/peer-m.m.m.m","trafficSelectorReference":{"link":"https://localhost/mgmt/tm/net/ipsec/traffic-selector/~Common~peer-m.m.m.m?ver=12.1.2"}}
10. Create the tunnel
TMSH:
create net tunnels tunnel peer-m.m.m.m idle-timeout 300 mode bidirectional profile peer-m.m.m.m tos preserve local-address b.b.b.b remote-address m.m.m.m
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/tunnels/tunnel -X POST -d '{"name":"peer-m.m.m.m","idleTimeout": 300,"mode": "bidirectional","profile":"peer-m.m.m.m","tos": "preserve","localAddress":"b.b.b.b","remoteAddress":"m.m.m.m"}'
RESPONSE: {"kind":"tm:net:tunnels:tunnel:tunnelstate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":35,"selfLink":"https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~peer-m.m.m.m?ver=12.1.2","autoLasthop":"default","idleTimeout":300,"ifIndex":128,"key":0,"localAddress":"b.b.b.b","mode":"bidirectional","mtu":0,"profile":"/Common/peer-m.m.m.m","profileReference":{"link":"https://localhost/mgmt/tm/net/tunnels/ipsec/~Common~peer-m.m.m.m?ver=12.1.2"},"remoteAddress":"m.m.m.m","secondaryAddress":"any6","tos":"preserve","transparent":"disabled","usePmtu":"enabled"}
11. Create the self-IP for the tunnel route
TMSH:
create net self peer-m.m.m.m address 1.1.1.1/32 allow-service all traffic-group traffic-group-local-only vlan peer-m.m.m.m
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/self -X POST -d '{"name":"peer-m.m.m.m","address":"1.1.1.1/32","vlan":"peer-m.m.m.m","traffic-group":"traffic-group-local-only","allowService":"all"}'
RESPONSE: {"kind":"tm:net:self:selfstate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":40,"selfLink":"https://localhost/mgmt/tm/net/self/~Common~peer-m.m.m.m?ver=12.1.2","address":"1.1.1.1/32","addressSource":"from-user","floating":"disabled","inheritedTrafficGroup":"false","trafficGroup":"/Common/traffic-group-local-only","trafficGroupReference":{"link":"https://localhost/mgmt/tm/cm/traffic-group/~Common~traffic-group-local-only?ver=12.1.2"},"unit":0,"vlan":"/Common/peer-m.m.m.m","vlanReference":{"link":"https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~peer-m.m.m.m?ver=12.1.2"},"allowService":"all"}
12. Create the static route for the tunnel
TMSH:
create net route peer-m.m.m.m interface peer-m.m.m.m network 10.0.0.0/8 mtu 0
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/net/route -X POST -d '{"name":"peer-m.m.m.m","tmInterface": "/Common/peer-m.m.m.m","network": "10.0.0.0/8","mtu":0}'
RESPONSE: {"kind":"tm:net:route:routestate","name":"peer-m.m.m.m","partition":"Common","fullPath":"/Common/peer-m.m.m.m","generation":43,"selfLink":"https://localhost/mgmt/tm/net/route/~Common~peer-m.m.m.m?ver=12.1.2","tmInterface":"/Common/peer-m.m.m.m","tmInterfaceReference":{"link":"https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~peer-m.m.m.m?ver=12.1.2"},"mtu":0,"network":"10.0.0.0/8"}
13. Create the IP forwarding virtual listener
TMSH:
create ltm virtual ip_forwarder destination 0.0.0.0:any ip-protocol any mask 0.0.0.0 source 0.0.0.0/0 source-address-translation { type none } source-port preserve profiles add { fastL4 } ip-forward
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/ltm/virtual -X POST -d '{"name":"ip_forwarding_vs","destination":"/Common/0.0.0.0:0","ipProtocol":"any","mask":"0.0.0.0","source":"0.0.0.0/0","sourceAddressTranslation":{"type":"none"},"sourcePort":"preserve","profiles":["fastL4"]}'
RESPONSE: {"kind":"tm:ltm:virtual:virtualstate","name":"ip_forwarding_vs","partition":"Common","fullPath":"/Common/ip_forwarding_vs","generation":46,"selfLink":"https://localhost/mgmt/tm/ltm/virtual/~Common~ip_forwarding_vs?ver=12.1.2","addressStatus":"yes","autoLasthop":"default","cmpEnabled":"yes","connectionLimit":0,"destination":"/Common/0.0.0.0:0","enabled":true,"gtmScore":0,"ipProtocol":"any","mask":"255.255.255.255","mirror":"disabled","mobileAppTunnel":"disabled","nat64":"disabled","rateLimit":"disabled","rateLimitDstMask":0,"rateLimitMode":"object","rateLimitSrcMask":0,"serviceDownImmediateAction":"none","source":"0.0.0.0/0","sourceAddressTranslation":{"type":"none"},"sourcePort":"preserve","synCookieStatus":"not-activated","translateAddress":"disabled","translatePort":"disabled","vlansDisabled":true,"vsIndex":5,"policiesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~ip_forwarding_vs/policies?ver=12.1.2","isSubcollection":true},"profilesReference":{"link":"https://localhost/mgmt/tm/ltm/virtual/~Common~ip_forwarding_vs/profiles?ver=12.1.2","isSubcollection":true}}
14. Disable the ipsec.if.checkpolicy db variable
TMSH:
modify sys db ipsec.if.checkpolicy value disable
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/db -X PATCH -d '{"ipsec.if.checkpolicy":"disable"}'
15. Save the configuration
TMSH:
save sys config
iCONTROL REST:
curl -sk -H "Content-type: application/json" -u myusername:mypassword https://x.x.x.x/mgmt/tm/sys/config -X POST -d '{"command":"save"}'
RESPONSE: {"kind":"tm:sys:config:savestate","command":"save"}Tested this on version:
13.0Published Aug 13, 2019
Version 1.0
G-Rob
Employee
EmployeeG-RobEmployee
EmployeeNo CommentsBe the first to comment