Forum Discussion
IPsec between F5 virtual server and its pool member
Hello,
Is it possible to build IPsec tunnel between F5 LTM virtual server and its pool member? Pool member would be Windows 2008 server. So far I have only found the instructions how to configure LAN-to-LAN IPsec between a BIG-IP system which uses Forwarding VS to intercept IPsec traffic and a third-party device which is not pool member.
Thanks.
- vandenhoutenp_9NimbostratusHi, Yes I believe it is. What have you configured up to this point and where is it failing? Thanks Peter
- mvukusicAltocumulusHi, I have followed the instructions in this manual: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.htmlconceptid I have configured IKE peer, IPsec policy and traffic selector, but instead of Forwarding VS, I have configured standard VS (HTTP) which has pool member which is also configured as IKE peer. What I am trying to achieve is that when I access my VS (that means HTTP to VS address), BIG-IP builds the VPN tunnel with its pool member. When I try to do that there is no indication on either side that any IPsec traffic was sent or received. Thanks.
- vandenhoutenp_9NimbostratusCan you please give an outline of your configuration? Obviously feel free to use fictitious IP's etc! The pool member you are looking to run this IPsec link between, you mentioned it is a Windows Server 2008 node. Does this server have the relevant configuration in place to terminate an IPsec connection?
- mvukusicAltocumulus
Hi,
after playing around with various scenarios I was able to get BIG-IP to send ISAKMP packets towards Windows 2008 server, but I don't receive any response from it. For now let's just use Forwarding VS and not standard VS.
Here is my BIG-IP configuration:
ltm virtual /Common/Forwarding-VS-ipsec-test { destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled }
net ipsec ike-peer /Common/test-win2008 { phase1-auth-method pre-shared-key preshared-key-encrypted $M$8L$gsMOhDjrMM/zNlnQ== remote-address 192.168.85.112 verify-cert true }
net ipsec ipsec-policy /Common/test-ipsec-policy { ike-phase2-auth-algorithm sha1 ike-phase2-encrypt-algorithm 3des ike-phase2-lifetime 480 mode tunnel tunnel-local-address 192.168.85.171 tunnel-remote-address 192.168.85.112 }
net ipsec traffic-selector /Common/test-ipsec-traffic-selector { destination-address 192.168.85.112/32 ipsec-policy /Common/test-ipsec-policy source-address 0.0.0.0/0 }
And here are the setting of IP Security Policy on Windows 2008: IP Filter = Any to Any IP address and port Filter Action = Negotiate Security >> Methods: 3DES/SHA1 Authentication methods = Preshared key (same key as on BIG-IP) Tunnel endpoint = 192.168.85.171 Connection type = All network connections Assigned = Yes Windows Firewall is OFF, IKE and IPsec services are Started.
Here is what I see on BIG-IP (and I see similar on Win2008 server): admin@(BIG-IP)(cfg-sync Standalone)(Active)(/Common)(tmos) tcpdump -i 0.0 udp and port 500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 15:11:07.735241 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:09.555138 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:19.568163 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:29.580814 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident 15:11:39.593264 IP 192.168.85.171.isakmp > 192.168.85.112.isakmp: isakmp: phase 1 I ident
- John_Ogle_45372Nimbostratus
Any update on this? Has anyone else performed this configuration of IPSec to the pool member(s).
thank you,
- mvukusicAltocumulus
Hello,
sorry for not posting this earlier, after some pain, I was able to get this to work myself.
These two links have served as guides, but it is necessary to do some additional work to get things to work:
F5 configuration: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html
Windows configuration: http://www.caryglobal.com/miklos/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx
F5 configuration consists of 4 steps:
-
First configure the standard VS with two HTTP pool members (Forwarding VS is not required). No SNAT, members had BIG-IP as the default gateway.
-
Next configure IKE peers (go to Network > IPsec > IKE peers). The IKE peers are two pool members from VS configured in first step. They were left with default settings of Phase 1 algorithms (SHA-1, 3DES, MODP1024, 1440 rpm). Select Preshared key authentication. Leave the default Common settings.
-
Go to Network > IPsec > IPsec policy. Configure two IPsec policies, one for each IKE peer. Settings: Tunnel, SHA-1, 3DES, PFS = NONE, Lifetime = 1440 rpm, 0 KB
-
Go to Network > IPsec > Traffic Selector List. Configure two Traffic selectors, one for each IPsec policy. Settings: Source Network IP = 0.0.0.0 / 0, Destination IP = Host , Direction = Both, Action = Protect, IPsec Policy =
Windows configuration consists of two parts, the first is the configuration of the IP Security Policy, the second part is configuration of Windows Firewall. Windows firewall must be ON, while it was OFF the 2nd Phase was not working.
Configuration of IP Security Policy:
- Run mmc.exe console, add the IP Security Policies (on Local Computer) snap-in and create a new policy.
- Under General settings set to generate new key every 1440 min, do not choose the PFS and for the Methods select 3DES, SHA-1 and the corresponding DH group (or repeated for all DH groups, 3DES and SHA-1 are required).
-
Create a new Rule for the IPsec policy:
- Authentication methods = preshared key,
- Tunnel settings = IP address of the BIG-IP,
- Connection type = All network connections
- Filter action = Negotiate security, security method = Custom, Settings ESP = SHA1/3DES, generate new key every 86,400 seconds, leave everything else unchecked
- IP filter = Source address = local address, Destination address = Any, select Mirrored (additional set protocol and port to test all the traffic going in IPsec)
- Apply the settings, then right-click on the created policy and Assign
Configuration of Windows Firewall:
- Run the Windows Firewall with Advanced Security.
- Create a new Connection Security Rule. Settings: Server-to-server, endpoints = Any IP Address, Requirements = Require authentication for inbound and outbound connections, Authentication Method = preshared key (Advanced> Customize), Profile = Domain, Private and Public .
- Edit created Connection Security Rule> go to the Advanced tab> IPsec tunneling> Customize = Mark Use Ipsec tunneling and specify the local and remote tunnel endpoint (local and BIG-IP).
- Right click on the created Connection Security Rule and enable.
In the test traffic was correctly encrypted and balanced between two members. After configuration changes on Windows you need to go through enable/disable IP Security Policy and Connection Security Rule to make things work again.
I would be glad to know if somebody else successfully try this.
-
- John_Ogle_45372Nimbostratus
This is great. Let me ask another question before I attempt to recreate this, today. From reading your notes, it appears that you did NOT use a separate subnet for the IPsec tunnel itself which is what is typically done and shown in the LTM guide. Ex: (windows server subnet)192.168.1.0--10.10.10.1/24->ipsec_tunnel<-10.10.10.2/24--192.168.5.0/24 (pool member subnet)
Are you saying that the self-ip address of the LTM and the ip address of the pool member itself are the IPSec tunnel endpoints (IKE peers)? This would mean that you are load balancing to the pool member ip address which is also the ipsec endpoint. Correct?
Finally, I prefer to use SNAT but I don't think that will be an issue.
Thank you,
- John_Ogle_45372Nimbostratus
What version is your LTM? I don't have the option to set PFS to None.
I am at the point where Windows is not replying back to the initial IKE packets. Ideas on what to check?
Thank you,
- mvukusicAltocumulus
I didn't use separate subnet. Tunnel is betweel LTM's self IP (which may or may be not same as VS IP address) and pool member which has only one IP address and is final endpoint.
I think my version was 11.4.0.
Try to tweak windows firewall features and windows ipsec policy. Check that the tunnel IPs and other settings are mirrored on both sides. Also play around with enable/disable Windows policy and firewall. I had trouble with windows side mostly, LTM part is relatively simple and easy to configure.
- marco_octavian_Nimbostratus
I have a similar config working. I have a pair of LTMs with a standard VS and a pool with three members (Win2008, Win2008, and Win2012).
I configured the tunnel using the floater ip addresses and left the self-ip addresses alone to perform the standard health checking. It's just in a lab but working okay. The Windows side can be really finicky. After a few tries of understand how the "beast" works, it's not too bad.
Also, I put the exact source destination ip addresses (Endpoints) in the Connection Security rule so as to leave my self-ip addresses out of the IPsec logic.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com