Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring IPsec between a BIG-IP System and a Third-Party Device
Overview: Configuring IPsec between a BIG-IP system and a third-party device
About negotiation of
security associations
About IPsec Tunnel
mode
About BIG-IP
components of the IPsec protocol suite
- IKE peers
- AnIKE peeris a configuration object of the IPsec protocol suite that represents a BIG-IP system on each side of the IPsec tunnel. IKE peers allow two systems to authenticate each other (known as IKE Phase 1). The BIG-IP system supports two versions of the IKE protocol: Version 1 (IKEv1) and Version 2 (IKEv2). The BIG-IP system includes the default IKE peer, namedanonymous, which is configured to use Version 1.The BIG-IP system does not support IPComp with IKEv2.
- IPsec policies
- AnIPsec policyis a set of information that defines the specific IPsec protocol to use (ESP or AH), and the mode (Transport, Tunnel, or iSession). For Tunnel mode, the policy also specifies the endpoints for the tunnel, and for IKE Phase 2 negotiation, the policy specifies the security parameters to be used in that negotiation. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets. The BIG-IP system includes two default IPsec policies, nameddefault-ipsec-policyanddefault-ipsec-policy-isession. A common configuration includes a bidirectional policy on each BIG-IP system.
- Traffic selectors
- Atraffic selectoris a packet filter that defines what traffic should be handled by a IPsec policy. You define the traffic by source and destination IP addresses and port numbers. A common configuration includes a bidirectional traffic selector on each BIG-IP system.
Task summary for configuring IPSEC to third party device
- BIG-IP Local Traffic Manager
- This module directs traffic securely and efficiently to the appropriate destination on a network.
- Self IP address
- The BIG-IP system must have at least one self IP address, to be used in specifying the end of the IPsec tunnel.
- The default VLANs
- These VLANs are namedexternalandinternal.
- BIG-IP connectivity
- Verify the connectivity between the client or server and its BIG-IP device, and between the BIG-IP device and its gateway. For example, you can use ping to test this connectivity.
Task list
Creating a forwarding virtual server for IPsec
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectForwarding (IP).
- In theDestination Address/Maskfield, type a wildcard network address in CIDR format, such as0.0.0.0/0for IPv4 or::/0for IPv6, to accept any traffic.
- From theService Portlist, select*All Ports.
- From theProtocollist, select*All Protocols.
- From theVLAN and Tunnel Trafficlist, retain the default selection,All VLANs and Tunnels.
- ClickFinished.
Creating an IKE peer
- On the Main tab, click.
- Click theCreatebutton.The New IKE Peer screen opens.
- In theNamefield, type a unique name for the IKE peer.
- In theDescriptionfield, type a brief description of the IKE peer.
- In theRemote Addressfield, type the IP address of the device that is remote to the system you are configuring.This address must match the value of theTunnel Remote Addresssetting in the relevant IPsec policy.
- For theStatesetting, retain the default value,Enabled.
- For the IKE Phase 1 Algorithms area, retain the default values, or select the options that are appropriate for your deployment.The values you select must match the IKE Phase 1 settings on the remote device.SettingOptionsAuthentication Algorithm
MD5
SHA-1 (default)
SHA-256
SHA-384
SHA-512Encryption Algorithm
DES
3 DES (default)
BLOWFISH
CAST128
AES
CAMELLIAPerfect Forward Secrecy
MODP768
MODP1024 (default)
MODP1536
MODP2048
MODP3072
MODP4096
MODP6144
MODP8192LifetimeLength of time, in minutes, before the IKE security association expires. - In the IKE Phase 1 Credentials area, for theAuthentication Methodsetting, select the option appropriate for your deployment.
- If you selectRSA Signature(default), theCertificate,Key, andVerify Peer Certificatesettings are available. If you have your own certificate file, key file, and certificate authority (CA), F5 recommends, for security purposes, that you specify these files in the appropriate fields. To reveal all these fields, select theVerify Peer Certificatecheck box. If you retain the default settings, leave the check box cleared.If you select the check box, you must provide a certificate file, key, and certificate authority.This option is available only for IKEv1.
- If you selectPreshared Key, type the key in thePreshared Keyfield that becomes available.
The key you type must be the same at both ends of the tunnel. - For the Common Settings area, retain all default values.
- ClickFinished.The screen refreshes and displays the new IKE peer in the list.
Creating a custom IPsec policy
- On the Main tab, click.
- Click theCreatebutton.The New Policy screen opens.
- In theNamefield, type a unique name for the policy.
- In theDescriptionfield, type a brief description of the policy.
- For theIPsec Protocolsetting, retain the default selection,ESP.
- From theModelist, selectTunnel.The screen refreshes to show additional related settings.
- In theTunnel Local Addressfield, type the local IP address of the system you are configuring.For example, the tunnel local IP address for BIG-IP A is2.2.2.2.
- In theTunnel Remote Addressfield, type the IP address that is remote to the system you are configuring.This address must match theRemote Addresssetting for the relevant IKE peer.For example, the tunnel remote IP address configured on BIG-IP A is the IP address of Router B, which is3.3.3.3.
- For the IKE Phase 2 area, retain the default values, or select the options that are appropriate for your deployment.The values you select must match the IKE Phase 2 settings on the remote device.SettingOptionsAuthentication Algorithm
SHA-1
AES-GCM128 (default)
AES-GCM192
AES-GCM256
AES-GMAC128
AES-GMAC192
AES-GMAC256Encryption Algorithm
AES-GCM128 (default)Perfect Forward Secrecy
MODP768
MODP1024 (default)
MODP1536
MODP2048
MODP3072
MODP4096
MODP6144
MODP8192LifetimeLength of time, in minutes, before the IKE security association expires. - ClickFinished.The screen refreshes and displays the new IPsec policy in the list.
Creating a
bidirectional IPsec traffic selector
- On the Main tab, click.
- ClickCreate.The New Traffic Selector screen opens.
- In theNamefield, type a unique name for the traffic selector.
- In theDescriptionfield, type a brief description of the traffic selector.
- For theOrdersetting, retain the default value (First).This setting specifies the order in which the traffic selector appears on the Traffic Selector List screen.
- From theConfigurationlist, selectAdvanced.
- For theSource IP Addresssetting, clickHostorNetwork, and in theAddressfield, type an IP address.This IP address should be the host or network address from which the application traffic originates.This table shows sample source IP addresses for BIG-IP A and Router B.System NameSource IP AddressBIG-IP A1.1.1.0/24Router B4.4.4.0/24
- From theSource Portlist, select the source port for which you want to filter traffic, or retain the default value*All Ports.
- For theDestination IP Addresssetting, clickHost, and in theAddressfield, type an IP address.This IP address should be the final host or network address to which the application traffic is destined.This table shows sample destination IP addresses for BIG-IP A and Router B.System NameDestination IP AddressBIG-IP A4.4.4.0/24Router B1.1.1.0/24
- From theDestination Portlist, select the destination port for which you want to filter traffic, or retain the default value* All Ports.
- From theProtocollist, select the protocol for which you want to filter traffic.You can select* All Protocols,TCP,UDP,ICMP, orOther. If you selectOther, you must type a protocol name.
- From theDirectionlist, selectBoth.
- From theActionlist, selectProtect.TheIPsec Policy Namesetting appears.
- From theIPsec Policy Namelist, select the name of the custom IPsec policy that you created.
- ClickFinished.The screen refreshes and displays the new IPsec traffic selector in the list.
Verifying IPsec connectivity for Tunnel mode
- Access thetmshcommand-line utility.
- Before sending traffic, type this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level debugThis command increases the logging level to display the messages that you want to view.
- Send data traffic to the destination IP address specified in the traffic selector.
- For an IKEv1 configuration, check the IKE Phase 1 negotiation status by typing this command at the prompt.racoonctl -l show-sa isakmpThis example shows a result of the command.Destinationis the tunnel remote IP address.Destination Cookies ST S V E Created Phase2 165.160.15.20.500 98993e6 . . . 22c87f1 9 I 10 M 2012-06-27 16:51:19 1This table shows the legend for interpreting the result.ColumnDisplayedDescriptionST (Tunnel Status)1Start Phase 1 negotiation2msg 1 received3msg 1 sent4msg 2 received5msg 2 sent6msg 3 received7msg 3 sent8msg 4 received9isakmp tunnel established10isakmp tunnel expiredSIInitiatorRResponderV (Version Number)10ISAKMP version 1.0E (Exchange Mode)MMain (Identity Protection)AAggressivePhase2<n>Number of Phase 2 tunnels negotiated with this IKE peer
- For an IKEv1 configuration, check the IKE Phase 2 negotiation status by typing this command at the prompt.racoonctl -ll show-sa internalThis example shows a result of this command.Sourceis the tunnel local IP address.Destinationis the tunnel remote IP address.Source Destination Status Side 10.100.20.3 165.160.15.20 sa established [R]This table shows the legend for interpreting the result.ColumnDisplayedSideI (Initiator)R (Responder)Statusinitstartacquiregetspi sentgetspi done1st msg sent1st msg recvdcommit bitsa addedsa establishedsa expired
- To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt.tmsh show net ipsec ipsec-saFor each tunnel, the output displays IP addresses for two IPsec SAs, one for each direction, as shown in the example.IPsec::SecurityAssociations 10.100.20.3 -> 165.160.15.20 SPI(0x7b438626) in esp (tmm: 6) 165.160.15.20 -> 10.100.20.3 SPI(0x5e52a1db) out esp (tmm: 5)
- To display the details of the dynamic negotiated Security Associations (SAs), type this command at the prompt.tmsh show net ipsec ipsec-sa all-propertiesFor each tunnel, the output displays the details for the IPsec SAs, as shown in the example.IPsec::SecurityAssociations 165.160.15.20 -> 10.100.20.3 ----------------------------------------------------------------------------- tmm: 2 Direction: out; SPI: 0x6be3ff01(1810104065); ReqID: 0x9b0a(39690) Protocol: esp; Mode: tunnel; State: mature Authenticated Encryption : aes-gmac128 Current Usage: 307488 bytes Hard lifetime: 94 seconds; unlimited bytes Soft lifetime: 34 seconds; unlimited bytes Replay window size: 64 Last use: 12/13/2012:10:42 Create: 12/13/2012:10:39
- To display the details of the IKE-negotiated SAs (IKEv2), type this command at the prompt.tmsh show net ipsec ike-sa all-properties
- To filter the Security Associations (SAs) by traffic selector, type this command at the prompt.tmsh show net ipsec ipsec-sa traffic-selector ts_codecYou can also filter by other parameters, such as SPI (spi), source address (src_addr), or destination address (dst_addr)The output displays the IPsec SAs that area associated with the traffic selector specified, as shown in the example.IPsec::SecurityAssociations 10.100.115.12 -> 10.100.15.132 SPI(0x2211c0a9) in esp (tmm: 0) 10.100.15.132 -> 10.100.115.12 SPI(0x932e0c44) out esp (tmm: 2)
- Check the IPsec stats by typing this command at the prompt.tmsh show net ipsec-statIf traffic is passing through the IPsec tunnel, the stats will increment.------------------------------------------------------------------- Net::Ipsec Cmd Id Mode Packets In Bytes In Packets Out Bytes Out ------------------------------------------------------------------- 0 TRANSPORT 0 0 0 0 0 TRANSPORT 0 0 0 0 0 TUNNEL 0 0 0 0 0 TUNNEL 0 0 0 0 1 TUNNEL 353.9K 252.4M 24.9K 1.8M 2 TUNNEL 117.9K 41.0M 163.3K 12.4M
- If the SAs are established, but traffic is not passing, type one of these commands at the prompt.
tmsh delete net ipsec ipsec-sa (IKEv1)
tmsh delete net ipsec ike-sa (IKEv2)This action deletes the IPsec tunnels. Sending new traffic triggers SA negotiation and establishment. - If traffic is still not passing, type this command at the prompt.racoonctl flush-sa isakmpThis action brings down the control channel. Sending new traffic triggers SA negotiation and establishment.
- View the/var/log/racoon.logto verify that the IPsec tunnel is up.These lines are examples of the messages you are looking for.2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
- To turn on IKEv2 logging on a production build, complete these steps.If you are using IKEv2, you can skip these steps; the BIG-IP system enables IPsec logging by default.
- Configure the log publisher for IPsec to use.% tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} % tmsh list sys log-config publisher ipsec sys log-config publisher ipsec { destinations { local-syslog { } } }
- Attach the log publisher to theike-daemonobject.tmsh modify net ipsec ike-daemon ikedaemon log-publisher ipsec
- For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level debug2Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.Using this command flushes existing SAs.
- After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level infoUsing this command flushes existing SAs.