F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Common elements for IPsec policy tasks
Manual Chapter : Common elements for IPsec policy tasks

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common elements for IPsec policy tasks

Ensure that you have created a virtual address or self IP address on each BIG-IP system on either end of the IPsec tunnel.
You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (
default-ipsec-policy
 or
default-ipsec-policy-isession
). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode. Another reason is to add payload compression before encryption. If you are using IKEv2, you must create a custom IPsec policy to specify in the traffic selector you create.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
    The IPsec Policies screen opens.
  3. Click the
    Create
     button.
    The New Policy screen opens.
  4. Click the
    Create
     button.
    The New IPsec Interface Profile screen opens.
  5. In the
    Name
     field, type a unique name for the policy.
  6. In the
    Description
     field, type a brief description of the policy.
  7. From the
    Mode
     list, select
    Transport
    .
  8. From the
    Mode
     list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  9. From the
    Mode
     list, select
    IPsec Interface
    .
  10. From the
    Mode
     list, select
    iSession Using Tunnel
    .
  11. In the
    Tunnel Local Address
     field, type the source IP address that appears in the headers of the packets coming from the remote BIG-IP system.
    This is an address of the remote system.
  12. In the
    Tunnel Local Address
     field, type the IP address of the BIG-IP system that initiates the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the local BIG-IP system. For the inbound policy, this is the IP address of the remote BIG-IP system.
    This table shows sample outbound and inbound tunnel local addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Local Address
    BIG-IP A
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
    BIG-IP B
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
  13. In the
    Tunnel Remote Address
     field, type the destination IP address that appears in the headers of the packets coming from the remote BIG-IP system.
  14. In the
    Tunnel Local Address
     field, type the source IP address that appears in the headers of the packets going to the remote BIG-IP system.
    This is an address of the local system.
  15. In the
    Tunnel Local Address
     field, type the local IP address of the system you are configuring.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    This table shows sample tunnel local addresses for BIG-IP A and BIG-IP B.
    System Name
    Tunnel Local Address
    BIG-IP A
    2.2.2.2
    BIG-IP B
    3.3.3.3
  16. In the
    Tunnel Remote Address
     field, type the destination IP address that appears in the headers of the packets going to the remote BIG-IP system. This is an address of the remote system and must match the
    Remote Address
     value that you previously specified in the IKE peer object on this system.
  17. In the
    Tunnel Local Address
     field, type an IP address.
    This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
  18. In the
    Tunnel Local Address
     field, type the local IP address of the system you are configuring.
  19. In the
    Tunnel Remote Address
     field, type the public IP address of the firewall or other NAT device that is between the WAN and the remote BIG-IP system.
    This address must match the value of the
    Remote Address
     setting for the relevant IKE peer.
  20. In the
    Tunnel Remote Address
     field, type the IP address that is remote to the system you are configuring.
    This address must match the
    Remote Address
     setting for the relevant IKE peer. To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    This table shows sample tunnel remote addresses for BIG-IP A and BIG-IP B.
    System Name
    Tunnel Remote Address
    BIG-IP A
    3.3.3.3
    BIG-IP B
    2.2.2.2
  21. In the
    Tunnel Remote Address
     field, type the IP address of the BIG-IP system that receives the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the remote BIG-IP system. For the inbound policy, this is the IP address of the local BIG-IP system.
    This table shows sample outbound and inbound tunnel remote addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Remote Address
    BIG-IP A
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
    BIG-IP B
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
  22. In the
    Tunnel Remote Address
     field, type an IP address.
    This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
  23. From the
    IPsec Protocol
     list, select
    AH
    .
  24. From the
    IPsec Protocol
     list, select
    Bundle
    .
  25. For the
    IPsec Protocol
     setting, retain the default selection,
    ESP
    .
  26. From the
    Authentication Algorithm
     list, select
    HMAC MD-5
    .
  27. For the
    Authentication Algorithm
     setting, retain the default value,
    SHA-1
    .
  28. For the
    Authentication Algorithm
     setting, retain the default value,
    AES-GCM128
    .
  29. For the
    Authentication Algorithm
     setting, retain the default value, or select the algorithm appropriate for your deployment.
  30. For the
    Encryption Algorithm
     setting, retain the default value,
    3DES
    .
  31. For the
    Encryption Algorithm
     setting, retain the default value,
    AES-GCM128
    .
  32. For the
    Encryption Algorithm
     setting, retain the default value, or select the algorithm appropriate for your deployment.
  33. For the
    Encryption Algorithm
     list, select
    AES-256
    .
  34. For the
    Perfect Forward Secrecy
     setting, select the option appropriate for your deployment.
  35. For the
    Perfect Forward Secrecy
     setting, select the option appropriate for your deployment.
  36. For the
    Perfect Forward Secrecy
     list, select
    MODP1024
    .
  37. For the
    IPComp
     setting, specify whether to use IPComp encapsulation, which performs packet-level compression before encryption:
    • Retain the default value
      None
      , if you do not want to enable packet-level compression before encryption.
    • Select
      DEFLATE
       to enable packet-level compression before encryption.
  38. Only if you want to use IPComp to compress the traffic in the IPsec tunnel, from the
    IPComp
     list, select
    DEFLATE
    .
  39. For the
    Lifetime
     setting, retain the default value,
    1440
    .
    This is the length of time (in minutes) before the current security association expires.
  40. In the
    Lifetime
     field, type a lifetime value.
    This is the length of time (in minutes) before the current security association expires.
  41. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.
  42. Repeat this task on the BIG-IP system in the remote location.
  43. Repeat this task for outbound and inbound traffic policies on both the local and remote BIG-IP systems.
  44. For the other settings, retain the default values.
You now have an IPsec policy for each IPsec traffic selector.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information