Manual Chapter :
Common elements for IPsec policy tasks
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Common elements for IPsec policy tasks
Ensure that you have created a virtual address or
self IP address on each BIG-IP system on either end of the IPsec
tunnel.
You create a custom IPsec policy when you want to use a policy other than the default
IPsec policy (
default-ipsec-policy
or
default-ipsec-policy-isession
). A typical reason for
creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather
than Transport mode. Another reason is to add payload compression before encryption.
If you are using IKEv2, you must create a custom IPsec policy to specify in the
traffic selector you create.You must perform this task on both BIG-IP
systems.
- On the Main tab, click.
- On the Main tab, click.The IPsec Policies screen opens.
- Click theCreatebutton.The New Policy screen opens.
- Click theCreatebutton.The New IPsec Interface Profile screen opens.
- In theNamefield, type a unique name for the policy.
- In theDescriptionfield, type a brief description of the policy.
- From theModelist, selectTransport.
- From theModelist, selectTunnel.The screen refreshes to show additional related settings.
- From theModelist, selectIPsec Interface.
- From theModelist, selectiSession Using Tunnel.
- In theTunnel Local Addressfield, type the source IP address that appears in the headers of the packets coming from the remote BIG-IP system.This is an address of the remote system.
- In theTunnel Local Addressfield, type the IP address of the BIG-IP system that initiates the traffic.To specify a route domain ID in an IP address, use the format n.n.n.n%ID.When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.For the outbound policy, this is the IP address of the local BIG-IP system. For the inbound policy, this is the IP address of the remote BIG-IP system.This table shows sample outbound and inbound tunnel local addresses configured on BIG-IP A and BIG-IP B.System NameTraffic DirectionTunnel Local AddressBIG-IP AOutbound2.2.2.2Inbound3.3.3.3BIG-IP BOutbound3.3.3.3Inbound2.2.2.2
- In theTunnel Remote Addressfield, type the destination IP address that appears in the headers of the packets coming from the remote BIG-IP system.
- In theTunnel Local Addressfield, type the source IP address that appears in the headers of the packets going to the remote BIG-IP system.This is an address of the local system.
- In theTunnel Local Addressfield, type the local IP address of the system you are configuring.To specify a route domain ID in an IP address, use the format n.n.n.n%ID.When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.This table shows sample tunnel local addresses for BIG-IP A and BIG-IP B.System NameTunnel Local AddressBIG-IP A2.2.2.2BIG-IP B3.3.3.3
- In theTunnel Remote Addressfield, type the destination IP address that appears in the headers of the packets going to the remote BIG-IP system. This is an address of the remote system and must match theRemote Addressvalue that you previously specified in the IKE peer object on this system.
- In theTunnel Local Addressfield, type an IP address.This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
- In theTunnel Local Addressfield, type the local IP address of the system you are configuring.
- In theTunnel Remote Addressfield, type the public IP address of the firewall or other NAT device that is between the WAN and the remote BIG-IP system.This address must match the value of theRemote Addresssetting for the relevant IKE peer.
- In theTunnel Remote Addressfield, type the IP address that is remote to the system you are configuring.This address must match theRemote Addresssetting for the relevant IKE peer. To specify a route domain ID in an IP address, use the format n.n.n.n%ID.When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.This table shows sample tunnel remote addresses for BIG-IP A and BIG-IP B.System NameTunnel Remote AddressBIG-IP A3.3.3.3BIG-IP B2.2.2.2
- In theTunnel Remote Addressfield, type the IP address of the BIG-IP system that receives the traffic.To specify a route domain ID in an IP address, use the format n.n.n.n%ID.When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.For the outbound policy, this is the IP address of the remote BIG-IP system. For the inbound policy, this is the IP address of the local BIG-IP system.This table shows sample outbound and inbound tunnel remote addresses configured on BIG-IP A and BIG-IP B.System NameTraffic DirectionTunnel Remote AddressBIG-IP AOutbound3.3.3.3Inbound2.2.2.2BIG-IP BOutbound2.2.2.2Inbound3.3.3.3
- In theTunnel Remote Addressfield, type an IP address.This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
- From theIPsec Protocollist, selectAH.
- From theIPsec Protocollist, selectBundle.
- For theIPsec Protocolsetting, retain the default selection,ESP.
- From theAuthentication Algorithmlist, selectHMAC MD-5.
- For theAuthentication Algorithmsetting, retain the default value,SHA-1.
- For theAuthentication Algorithmsetting, retain the default value,AES-GCM128.
- For theAuthentication Algorithmsetting, retain the default value, or select the algorithm appropriate for your deployment.
- For theEncryption Algorithmsetting, retain the default value,3DES.
- For theEncryption Algorithmsetting, retain the default value,AES-GCM128.
- For theEncryption Algorithmsetting, retain the default value, or select the algorithm appropriate for your deployment.
- For theEncryption Algorithmlist, selectAES-256.
- For thePerfect Forward Secrecysetting, select the option appropriate for your deployment.
- For thePerfect Forward Secrecysetting, select the option appropriate for your deployment.
- For thePerfect Forward Secrecylist, selectMODP1024.
- For theIPCompsetting, specify whether to use IPComp encapsulation, which performs packet-level compression before encryption:
- Retain the default valueNone, if you do not want to enable packet-level compression before encryption.
- SelectDEFLATEto enable packet-level compression before encryption.
- Only if you want to use IPComp to compress the traffic in the IPsec tunnel, from theIPComplist, selectDEFLATE.
- For theLifetimesetting, retain the default value,1440.This is the length of time (in minutes) before the current security association expires.
- In theLifetimefield, type a lifetime value.This is the length of time (in minutes) before the current security association expires.
- ClickFinished.The screen refreshes and displays the new IPsec policy in the list.
- Repeat this task on the BIG-IP system in the remote location.
- Repeat this task for outbound and inbound traffic policies on both the local and remote BIG-IP systems.
- For the other settings, retain the default values.
You now have an IPsec policy for each IPsec traffic
selector.