cancel
Showing results for 
Search instead for 
Did you mean: 

BIG-IP Sourced Traffic Over IPSec

I_R_101_110
Cirrus
Cirrus

Good afternoon team,

I am attempting to build an IPSec tunnel between F5's in a multi-cloud environment. Phase 1 comes up but I cannot seem to make my traffic match the traffic selectors. I've tried using several different traffic selectors such as pairs that match self IP on the interfaces, self IP's on the tunnel interfaces, all zeroes to force a route based VPN. Even though I explicily source my pings, traffic never matches the traffic selector.  I get zero hits on the traffic selector and tcpdumps reveal that no ESP packets are sent; only IPSec negotiation packets.

 

I just want to know that it's possible to source traffic on the same F5 that the tunnel is built on. I have been successful with other IPSec tunnels with the F5 but never where the F5 is the traffic source.  IPSec on the F5 has always been almost the most convoluted out of all vendors (except for perhaps CP) so it wouldn't surprise me that I am trying for something that isn't even possible. Please community, confirm for me one way or the other. 

Kind regards,

Nicolas

2 REPLIES 2

Heath_Parrott
F5 Employee
F5 Employee

In your config there should be a VLAN assocated with the tunnel and you should have a self-ip associated with it.  For example let's assume you have a VLAN named TUNNEL_VLAN and you have an address range of 172.16.1.0/30 and have assinged 172.16.1.1 to the BIG-IP you are logged in as and you have assinged 172.16.1.2 to the remote end.  The traffic selector you have configured at least encompasses that range:

net ipsec traffic-selector selector-vpn-a5294dfd-0 {

    destination-address 172.16.1.0/30

    ipsec-policy ipsec-policy-vpn-a5294dfd-0

    partition LOCAL_ONLY

    source-address 172.16.1.0/30

And asssuming the rest of you BIG-IP VPN config looks correct (this is an example of a BIG-IP in AWS setting up an IPSEC tunnel), and you are allowing ICMP on your self-IPs.

net ipsec ike-peer peer-vpn-a5294dfd-0 {

    lifetime 480

    nat-traversal on

    phase1-auth-method pre-shared-key

    phase1-encrypt-algorithm aes128

    preshared-key-encrypted $M$uF$m+crQ1tis.....

    remote-address X.X.X.X

    version { v1 }

}

net ipsec ipsec-policy ipsec-policy-vpn-a5294dfd-0 {

    ike-phase2-auth-algorithm sha1

    ike-phase2-encrypt-algorithm aes128

    ike-phase2-lifetime 60

    ike-phase2-perfect-forward-secrecy modp1024

    mode interface

    partition LOCAL_ONLY

}

Then the following command should put traffic from your BIG-IP onto the tunnel matching the selector -

PING -I TUNNEL_VLAN 172.16.1.2

David_Gill
Cirrus
Cirrus

You can do this but but first I would recommend two things:

1. Use IKEv2
2. Use Route-based tunnels only with a traffic selector of 0.0.0.0/0 for both the source and destination.

I have yet to come across a piece of equipment where we are unable to successfully build a IKEv2 route-based tunnel. Do take note of https://support.f5.com/csp/article/K31553030

There are two ways to route traffic into the tunnel:

1. Routes are created on the Big-IP to funnel traffic into the appropriate tunnel. One issue with this solution is that if you have multiple tunnels terminating on the same Big-IP then traffic can flow from one tunnel to the other based on these routes. This may be good or bad depending on your requirement.

2. A virtual server is created for each of the individual routes that must be reached through the tunnel on the remote network. This virtual server will have a pool with one member which points to the far end of the transport tunnel. The virtual server will also listen only to the source IP and/or vlan you choose. Use this option if you want to ensure that traffic cannot flow between tunnels.