Manual Chapter : Common elements for IPsec policy tasks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0, 14.1.0

BIG-IP ASM

  • 15.0.0, 14.1.0

BIG-IP AAM

  • 15.0.0, 14.1.0

BIG-IP APM

  • 15.0.0, 14.1.0

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

Common elements for IPsec policy tasks

Ensure that you have created a virtual address or self IP address on each BIG-IP system on either end of the IPsec tunnel.
You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (
default-ipsec-policy
or
default-ipsec-policy-isession
). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode. Another reason is to add payload compression before encryption. If you are using IKEv2, you must create a custom IPsec policy to specify in the traffic selector you create.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
    The IPsec Policies screen opens.
  3. Click the
    Create
    button.
    The New Policy screen opens.
  4. Click the
    Create
    button.
    The New IPsec Interface Profile screen opens.
  5. In the
    Name
    field, type a unique name for the policy.
  6. In the
    Description
    field, type a brief description of the policy.
  7. From the
    Mode
    list, select
    Transport
    .
  8. From the
    Mode
    list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  9. From the
    Mode
    list, select
    IPsec Interface
    .
  10. From the
    Mode
    list, select
    iSession Using Tunnel
    .
  11. In the
    Tunnel Local Address
    field, type the source IP address that appears in the headers of the packets coming from the remote BIG-IP system.
    This is an address of the remote system.
  12. In the
    Tunnel Local Address
    field, type the IP address of the BIG-IP system that initiates the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the local BIG-IP system. For the inbound policy, this is the IP address of the remote BIG-IP system.
    This table shows sample outbound and inbound tunnel local addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Local Address
    BIG-IP A
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
    BIG-IP B
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
  13. In the
    Tunnel Remote Address
    field, type the destination IP address that appears in the headers of the packets coming from the remote BIG-IP system.
  14. In the
    Tunnel Local Address
    field, type the source IP address that appears in the headers of the packets going to the remote BIG-IP system.
    This is an address of the local system.
  15. In the
    Tunnel Local Address
    field, type the local IP address of the system you are configuring.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    This table shows sample tunnel local addresses for BIG-IP A and BIG-IP B.
    System Name
    Tunnel Local Address
    BIG-IP A
    2.2.2.2
    BIG-IP B
    3.3.3.3
  16. In the
    Tunnel Remote Address
    field, type the destination IP address that appears in the headers of the packets going to the remote BIG-IP system. This is an address of the remote system and must match the
    Remote Address
    value that you previously specified in the IKE peer object on this system.
  17. In the
    Tunnel Local Address
    field, type an IP address.
    This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
  18. In the
    Tunnel Local Address
    field, type the local IP address of the system you are configuring.
  19. In the
    Tunnel Remote Address
    field, type the public IP address of the firewall or other NAT device that is between the WAN and the remote BIG-IP system.
    This address must match the value of the
    Remote Address
    setting for the relevant IKE peer.
  20. In the
    Tunnel Remote Address
    field, type the IP address that is remote to the system you are configuring.
    This address must match the
    Remote Address
    setting for the relevant IKE peer. To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    This table shows sample tunnel remote addresses for BIG-IP A and BIG-IP B.
    System Name
    Tunnel Remote Address
    BIG-IP A
    3.3.3.3
    BIG-IP B
    2.2.2.2
  21. In the
    Tunnel Remote Address
    field, type the IP address of the BIG-IP system that receives the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the remote BIG-IP system. For the inbound policy, this is the IP address of the local BIG-IP system.
    This table shows sample outbound and inbound tunnel remote addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Remote Address
    BIG-IP A
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
    BIG-IP B
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
  22. In the
    Tunnel Remote Address
    field, type an IP address.
    This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
  23. From the
    IPsec Protocol
    list, select
    AH
    .
  24. From the
    IPsec Protocol
    list, select
    Bundle
    .
  25. For the
    IPsec Protocol
    setting, retain the default selection,
    ESP
    .
  26. From the
    Authentication Algorithm
    list, select
    HMAC MD-5
    .
  27. For the
    Authentication Algorithm
    setting, retain the default value,
    SHA-1
    .
  28. For the
    Authentication Algorithm
    setting, retain the default value,
    AES-GCM128
    .
  29. For the
    Authentication Algorithm
    setting, retain the default value, or select the algorithm appropriate for your deployment.
  30. For the
    Encryption Algorithm
    setting, retain the default value,
    3DES
    .
  31. For the
    Encryption Algorithm
    setting, retain the default value,
    AES-GCM128
    .
  32. For the
    Encryption Algorithm
    setting, retain the default value, or select the algorithm appropriate for your deployment.
  33. For the
    Encryption Algorithm
    list, select
    AES-256
    .
  34. For the
    Perfect Forward Secrecy
    setting, select the option appropriate for your deployment.
  35. For the
    Perfect Forward Secrecy
    setting, select the option appropriate for your deployment.
  36. For the
    Perfect Forward Secrecy
    list, select
    MODP1024
    .
  37. For the
    IPComp
    setting, specify whether to use IPComp encapsulation, which performs packet-level compression before encryption:
    • Retain the default value
      None
      , if you do not want to enable packet-level compression before encryption.
    • Select
      DEFLATE
      to enable packet-level compression before encryption.
  38. Only if you want to use IPComp to compress the traffic in the IPsec tunnel, from the
    IPComp
    list, select
    DEFLATE
    .
  39. For the
    Lifetime
    setting, retain the default value,
    1440
    .
    This is the length of time (in minutes) before the current security association expires.
  40. In the
    Lifetime
    field, type a lifetime value.
    This is the length of time (in minutes) before the current security association expires.
  41. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.
  42. Repeat this task on the BIG-IP system in the remote location.
  43. Repeat this task for outbound and inbound traffic policies on both the local and remote BIG-IP systems.
  44. For the other settings, retain the default values.
You now have an IPsec policy for each IPsec traffic selector.