tunnel
7 TopicsDuring ike rekey in a s2s IPsec config some tunnels won't reestablish
Hi, I would like some help regarding an IPsec problem we are experiencing in our DC. We have a few different route domains in our F5. Two different RDs are configured for IPSec to two different remote sites. The only thing common between the two connections is that both remote device is a Cisco ASA. One is an ASA5520 on 7.2(4) and the other one is an ASA5585 on 9.2(4)14. Here are the details of the IPsec configuration: PHASE1 Version:IKE v1 Authentication algorithm:SHA-1 Encryption algorithm:AES256 Perfect forward secrecy/dh-group:MODP1536 Lifetime:1440 Authentication method:PSK Mode:Main NAT Traversal:ON DPD Delay:30 sec Replay window size:64 packets PHASE2 IPsec protocol:ESP Mode:Tunnel Authentication algorithm:SHA-1 Encryption algorithm:AES256 Perfect forward secrecy:MODP1536 Lifetime:1440 It has been verified by both sides multiple times that the configuration is exactly the same. Also, we are the ones using NAT-T. We have an external router where the public ip address is NATed to the F5. The problem is that during ike rekeying some tunnels won't reestablish. Only some will, but not all. For example in one ipsec there are 3 traffic selectors. Traffic is flowing through in all 3 of them when everything is fine. After the rekeying only one will work and we have to clear the whole ipsec to make it work again. What we found so far that the ASAs will start rekeying at 75% of the lifetime (so in our case around 18 hours) https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.htmlvpndisc According this document it's not a problem. However, almost always the tunnels won't come up. (There have been a few occasions when for some magical reason they came up but it's pretty rare..) Log from the ASA when rekeying starts at 18 hours. Mar 7 02:50:51 asa %ASA-4-113019: Group = 1.2.3.4, Username = 1.2.3.4, IP = 1.2.3.4, Session disconnected. Session Type: IPSecLAN2LANOverNatT, Duration: 18h:00m:29s, Bytes xmt: 4133553397, Bytes rcv: 2396963220, Reason: IKE Delete Here are the logs from the racoonctl log, as it is too long to paste it here: https://pastebin.com/H39ZbYLS So the conclusion so far is that there is traffic between the peer IPs, even when the problem occurs. The traffic in the IPsec SAs goes back and forth continuously. When the IKE rekey happens the old IKE SA closes and a new one is created and the IPsec SAs are renewed. For a second the traffic in the IPsec SAs breaks but then continues to flow once again. But when the error happens not every IPsec SA reestablishes and we can only see timeouts in the logs. I hope you can help. The clients are a "bit" mad about this issue. Thanks.Solved2.8KViews0likes1CommentHelp needed to Explain what Vlan and Tunnel Traffic is for?
Hi, I am new to F5 and I am trying to configure a new virtual server. One of the parameters is the vlan and tunnel traffic, which by default is enabled on. help needed here to explain what is this for? If I configure my virtual server to have virtual address in VLAN_3, and I enable vlan traffic only on VLAN-3, does this mean only requests sourced from VLAN-3 network will be accepted by F5 ltm? Thank You2.4KViews0likes4CommentsMultiple IPSec tunnels to the same remote peer
Hello everyone, I need to load balance traffic to a third party with IPSec. I have configured an IPsec tunnel using the IPSec Interface mode, assigning a /30 self-ip to the tunnel and creating a virtual server that forwards the traffic to the node with the tunnel remote IP. All this setup works as expected but the IPSec tunnel has a bandwidth limitation of 1Gbps and I need to reach 3Gbps. The problem that I am facing is: when I try to create a new ike-peer with the same destination IP address, I get the error: 01070734:3: Configuration error: remote-address (a.a.a.a) is also used by ike-peer (/Common/peer1) Does someone know how can I create multiple ipsec tunnels to the same remote IP? I can add different IPs in the local site, but not in the remote one. Regards and thanks in advance398Views0likes6Commentsnexthop and tunnel - is that working for VIP to VIP?
Hi, Best practice for explicit forward proxy with SSL Intercept is to set BIGIP like that: proxy VS - explicit HTTP profile with tunnel configured (via Tunnel Name option), Default Connect Handling option set to Deny. This is main VS - clients are using it's IP and port as proxy HTTPS VS - standard reverse type HTTP profile, client/server SSL profiles attached, VS Enabled on tunnel configured via explicit HTTP profile attached to proxy VS (see above). Can be set to listen on 443 port or any other port, or all ports. tunnel used is defined as tcp-forward type Above config is working without issue, all CONNECT type request are passed to HTTPS VS via configured tunnel. Considering above I hoped that it's possible to use similar setup using iRule with nexthop command configured like that: nexthop "tcp-forward type tunnel name" (used as well /Common/tunel_name) But I never managed to pass any traffic via this tunnel - CLIENT_ACCEPTED event was never triggered on VS enabled on tunnel used in nexthop. Is that possible to use nexthop like that? If so how to do that: * in which event it should be called - or it does not matter? * what tunnel type can be used - if not tcp-forward type? Piotr322Views0likes1CommentF5 BIG-IP Unicast VXLAN-GPE Tunnel Sample Config
Hello Everyone, I'm looking for a Unicast VXLAN-GPE Tunnel Sample Config on BIP-IP. It will be a great help if anyone can share or point to documentation. I already checked the official documentation but that is only available for the VXLAN-GPE multicast scenario but in my case, it's a unicast tunnel. Also, I want to use IPv4 as the next protocol, looks like ethernet is used by default and I don't see in the documentation on how to change to IPv4. You can configure a VXLAN Generic Protocol Extension (GPE) tunnel when you want to add fields to the VXLAN header. One of these fields is Next Protocol, with values for Ethernet, IPv4, IPv6, and Network Service Header (NSH). Thanks!58Views1like0CommentsUsing the WAF instead of a jump server for ssh-tunneling?
Hello everyone, This is how it works at the moment: We go from server A, in the internal network, with a public IP via ssh to a jump server in the DMZ. From the jump server we then go on to server B in the secure zone. I am relatively new to this and have been given the task of seeing if the WAF can replace the jump server. We use Advanced Web Application Firewall, r2600 with BIG-IP 17.1.1.3 Is this possible and what do we need for it? Thank you in advance for your help ! Best regards.42Views0likes1Comment