Manual Chapter : Common Elements for IPsec IKE peer tasks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0, 14.1.0

BIG-IP ASM

  • 15.0.0, 14.1.0

BIG-IP AAM

  • 15.0.0, 14.1.0

BIG-IP APM

  • 15.0.0, 14.1.0

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

Common Elements for IPsec IKE peer tasks

The IKE peer object identifies to the system you are configuring the other BIG-IP system with which it communicates during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation.
You must perform these steps on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    IKE Peers
    .
  2. On the Main tab, click
    Network
    IPsec
    IKE Peers
    .
    The IKE Peers screen opens.
  3. Click the
    Create
    button.
    The New IKE Peer screen opens.
  4. In the
    Name
    field, type a unique name for the IKE peer.
  5. In the
    Description
    field, type a brief description of the IKE peer.
  6. In the
    Remote Address
    field, type the IP address of the BIG-IP system that is remote to the system you are configuring.
    For inbound traffic, this address must match the
    Source IP Address
    value (or its network) in the inbound traffic selector you previously created. For outbound traffic, this address must match the
    Destination IP Address
    value (or its network) in the outbound traffic selector you previously created.
    For example, for inbound traffic, if the source IP address specified in the traffic selector is
    20.0.0.0
    , then a valid
    Address
    value is
    20.0.0.2
    .
  7. In the
    Remote Address
    field, type the IP address of the BIG-IP system that is remote to the system you are configuring, or the public IP address of the firewall or other NAT device that is in front of the remote BIG-IP system.
    This address must match the value of the
    Tunnel Remote Address
    setting in the relevant IPsec policy.
  8. In the
    Remote Address
    field, type the IP address of the BIG-IP system that is remote to the system you are configuring.
    To specify a route domain ID in an IP address, use the format
    n.n.n.n%ID
    .
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
  9. In the
    Remote Address
    field, type the IP address of the device that is remote to the system you are configuring.
    This address must match the value of the
    Tunnel Remote Address
    setting in the relevant IPsec policy.
  10. In the
    Remote Address
    field, type the public IP address of the firewall or other NAT device that is between the WAN and the remote BIG-IP system.
    This address must match the value of the
    Tunnel Remote Address
    setting in the relevant IPsec policy.
  11. For the
    State
    setting, retain the default value,
    Enabled
    .
  12. For the
    State
    setting, select
    Disabled
    .
  13. For the
    Version
    setting, select either version or both versions.
    To successfully create an IPsec tunnel, the remote IKE peer must use the same version.
    Currently, IKEv2 is supported only for Tunnel mode, which you specify when you create the IPsec policy. Some parameters are supported only by IKEv1, as indicated on the IKE Peer screens.
    If you select both versions:
    • And the system you are configuring is the IPsec initiator, the system tries using IKEv2 for negotiation. If the remote peer does not support IKEv2, the IPsec tunnel fails. To use IKEv1 in this case, clear the
      Version 2
      check box, and try again.
    • And the system you are configuring is the IPsec responder, the IPsec initiator system determines which IKE version to use.
  14. For the IKE Phase 1 Algorithms area, retain the default values.
  15. From the
    Authentication Algorithm
    list, select an authentication algorithm.
  16. From the
    Authentication Algorithm
    list, select
    SHA-1
    .
  17. From the
    Encryption Algorithm
    list, select an algorithm.
    You can select
    DES
    ,
    3DES
    ,
    BLOWFISH
    ,
    CAST128
    ,
    AES
    , or
    CAMELLIA
    .
  18. From the
    Encryption Algorithm
    list, retain the default value,
    3DES
    .
  19. From the
    Perfect Forward Secrecy
    list, select a method of key exchange.
  20. From the
    Perfect Forward Secrecy
    list, retain the default value,
    MODP1024
    .
  21. In the
    Lifetime
    field, type a value, in minutes.
  22. In the
    Lifetime
    field, retain the default value (
    1440
    ).
    This is the length of time, in minutes, before the IKE security association expires.
  23. In the IKE Phase 1 Credentials area, for the
    Authentication Method
    setting, select the option appropriate for your deployment.
    • If you select
      RSA Signature
      (default), the
      Certificate
      ,
      Key
      , and
      Verify Peer Certificate
      settings are available. If you have your own certificate file, key file, and certificate authority (CA), F5 recommends, for security purposes, that you specify these files in the appropriate fields. To reveal all these fields, select the
      Verify Peer Certificate
      check box. If you retain the default settings, leave the check box cleared.
      If you select the check box, you must provide a certificate file, key, and certificate authority.
      This option is available only for IKEv1.
    • If you select
      Preshared Key
      , type the key in the
      Preshared Key
      field that becomes available.
    The key you type must be the same at both ends of the tunnel.
  24. From the
    Authentication Method
    list, select
    Preshared Key
    .
    This is the method that you want this system to use for peer-to-peer authentication.
  25. From the
    Authentication Method
    list, select
    DSA Signature
    .
    This is the method that you want this system to use for peer-to-peer authentication.
  26. From the
    Authentication Method
    list, select
    RSA Signature
    .
    This is the method that you want this system to use for peer-to-peer authentication.
  27. From the
    Authentication Method
    list, select either
    Preshared Key
    or
    RSA Signature
    .
    This is the method that you want this system to use for peer-to-peer authentication.
  28. In the
    Preshared Key
    field, type an alphanumeric string that you want the peers to use as a preshared key.
  29. For the Common Settings area, retain all default values.
  30. For the Common Settings area, retain the default values, except as noted.
    If you selected
    Version 2
    , you must change the selection for
    Presented ID
    and
    Verified ID
    to
    Override
    .
  31. If you selected
    Version 2
    , select a traffic selector from the
    Traffic Selector
    list in the Common Settings area.
    Only traffic selectors that are valid for IKEv2 appear on the list. The default traffic selector is not included, because it is not supported in IKEv2. Also, you can associate a traffic selector with only one IKE peer, so traffic selectors already associated with other peers are not displayed.
  32. From the
    Mode
    list, either retain the default value (
    Main
    ) or select
    Aggressive
    .
  33. For the
    Mode
    setting, retain the default value,
    Main
    .
  34. From the
    Mode
    list, select
    Aggressive
    .
  35. From the
    NAT Traversal
    list, select a value.
  36. From the
    NAT Traversal
    list, select
    Force
    .
  37. From the
    NAT Traversal
    list, select the default value,
    Off
    .
  38. From the
    NAT Traversal
    list, select
    On
    .
    NAT Traversal setting example
  39. For the
    Passive
    setting, retain the default value (cleared) or check the box.
  40. For the
    Passive
    setting, retain the default value (cleared).
  41. For the
    Passive
    setting, check the box.
  42. For the
    Verify Certificate
    setting, retain the default value (checked) or clear the box.
  43. For the
    Verify Certificate
    setting, clear the box.
  44. For the
    Verify Certificate
    setting, retain the default value (checked).
  45. For the
    Presented ID Type
    setting, retain the default value (
    Address
    ).
  46. For the
    Presented ID Type
    setting, select a value.
    This setting is optional. If the IKE authentication method is a preshared key, then the
    Presented ID Type
    value must be the type of the preshared key. For example, if the preshared key is a fully-qualified domain name, then the
    Presented ID Type
    must be
    FQDN
    . If you do not configure the
    Presented ID
    setting, the BIG-IP system ignores this
    Presented ID Type
    setting.
  47. For the
    Presented ID Type
    setting, select a value.
    This setting is optional. If you do not configure the
    Presented ID
    setting, the BIG-IP system ignores this
    Presented ID Type
    setting.
  48. If you selected
    Version 2
    , select
    Override
    from the
    Presented ID
    list, and enter a value in the
    Presented ID Value
    field.
    This value must match the
    Verified ID Value
    field on the remote IKE peer.
  49. In the
    Presented ID
    field, type a value.
    This setting is optional. Use this setting only as an additional way to authenticate the remote system. If configured, this value must be of the type selected for the
    Presented ID Type
    setting. For example, if you set the
    Presented ID Type
    to
    FQDN
    , then the
    Presented ID
    must be a fully-qualified domain name. Also, if the IKE authentication method is a preshared key, then the
    Presented ID
    must be the preshared key itself.
  50. In the
    Presented ID
    field, type a value.
    This setting is optional. Use this setting only as an additional way to authenticate the remote system. If configured, this value must be of the type selected for the
    Presented ID Type
    setting. For example, if you set the
    Presented ID Type
    to
    FQDN
    , then the
    Presented ID
    must be a fully-qualified domain name.
  51. For the
    Verified ID Type
    setting, retain the default value (
    Address
    ).
  52. For the
    Verified ID Type
    setting, select a value.
    If the IKE authentication method is a preshared key, then the
    Verified ID Type
    value must be the type of the preshared key. For example, if the preshared key is a fully-qualified domain name, then the
    Verified ID Type
    must be
    FQDN
    .
  53. For the
    Verified ID Type
    setting, select a value.
  54. In the
    Verified ID
    field, type a value.
    This is the value that the BIG-IP system you are configuring presents to its remote IKE peer. This value must be of the type selected for the
    Verified ID Type
    setting. For example, if you set the
    Verified ID Type
    to
    FQDN
    , then the
    Verified ID
    must be a fully-qualified domain name. Also, if the IKE authentication method is a preshared key, then the
    Verified ID
    must be the preshared key itself.
  55. In the
    Verified ID
    field, type a value.
    This is the value that the BIG-IP system you are configuring presents to its remote IKE peer. This value must be of the type selected for the
    Verified ID Type
    setting. For example, if you set the
    Verified ID Type
    to
    FQDN
    , then the
    Verified ID
    must be a fully-qualified domain name.
  56. If you selected
    Version 2
    , select
    Override
    from the
    Verified ID
    list, and enter a value in the
    Verified ID Value
    field.
    This value must match the
    Presented ID Value
    field on the remote IKE peer.
  57. Click
    Finished
    .
    The screen refreshes and displays the new IKE peer in the list.
  58. Repeat this task on the BIG-IP system in the remote location.
You now have an IKE peer defined for establishing a secure channel.