Manual Chapter : Configuring IPsec in Tunnel Mode between Two BIG-IP Systems

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0, 14.1.0

BIG-IP ASM

  • 15.0.0, 14.1.0

BIG-IP AAM

  • 15.0.0, 14.1.0

BIG-IP APM

  • 15.0.0, 14.1.0

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

Configuring IPsec in Tunnel Mode between Two BIG-IP Systems

Overview: Configuring IPsec between two BIG-IP systems

You can configure an IPsec tunnel when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP ®system to another. By following this procedure, you can configure an IKE peer to negotiate Phase 1 Internet Security Association and Key Management Protocol (ISAKMP) security associations for the secure channel between two systems. You can also configure a custom traffic selector and a custom IPsec policy that use this secure channel to generate IPsec Tunnel mode (Phase 2) security associations (SAs).
Example of an IPsec deployment
IPsec tunnel deployment example

About negotiation of security associations

The way to dynamically negotiate security associations is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the
IKE protocol
, two IPsec tunnel endpoints (IKE peers) open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as
Phase 1 negotiation
.
After Phase 1 is complete and the secure channel is established,
Phase 2 negotiation
begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.

About IPsec Tunnel mode

Tunnel mode
causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.

About BIG-IP components of the IPsec protocol suite

The IPsec protocol suite on the BIG-IP system consists of these configuration components:
IKE peers
An
IKE peer
is a configuration object of the IPsec protocol suite that represents a BIG-IP system on each side of the IPsec tunnel. IKE peers allow two systems to authenticate each other (known as IKE Phase 1). The BIG-IP system supports two versions of the IKE protocol: Version 1 (IKEv1) and Version 2 (IKEv2). The BIG-IP system includes the default IKE peer, named
anonymous
, which is configured to use Version 1.
The BIG-IP system does not support IPComp with IKEv2.
IPsec policies
An
IPsec policy
is a set of information that defines the specific IPsec protocol to use (ESP or AH), and the mode (Transport, Tunnel, or iSession). For Tunnel mode, the policy also specifies the endpoints for the tunnel, and for IKE Phase 2 negotiation, the policy specifies the security parameters to be used in that negotiation. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets. The BIG-IP system includes two default IPsec policies, named
default-ipsec-policy
and
default-ipsec-policy-isession
. A common configuration includes a bidirectional policy on each BIG-IP system.
Traffic selectors
A
traffic selector
is a packet filter that defines what traffic should be handled by a IPsec policy. You define the traffic by source and destination IP addresses and port numbers. A common configuration includes a bidirectional traffic selector on each BIG-IP system.

About IP Payload Compression Protocol (IPComp)

IP Payload Compression Protocol (IPComp) is a protocol that reduces the size of IP payloads by compressing IP datagrams before fragmenting or encrypting the traffic. IPComp is typically used to improve encryption and decryption performance, thus increasing bandwidth utilization. Using an IPsec ESP tunnel can result in packet fragmentation, because the protocol adds a significant number of bytes to a packet. The additional bytes can push the packet over the maximum size allowed on the outbound link. Using compression is one way to mitigate fragmentation. IPComp is an option when you create a custom IPsec policy.

Task summaryfor securing WAN traffic with IPsec and IKE

You can configure the IPsec and IKE protocols to secure traffic that traverses a wide area network (WAN), such as from one data center to another.
Before you begin configuring IPsec and IKE, verify that these modules, system objects, and connectivity exist on the BIG-IP systems in both the local and remote locations:
BIG-IP Local Traffic Manager
This module directs traffic securely and efficiently to the appropriate destination on a network.
Self IP address
Each BIG-IP system must have at least one self IP address, to be used in specifying the ends of the IPsec tunnel.
The default VLANs
These VLANs are named
external
and
internal
.
BIG-IP connectivity
Verify the connectivity between the client or server and its BIG-IP device, and between each BIG-IP device and its gateway. For example, you can use ping to test this connectivity.

Task list

Creating a forwarding virtual server for IPsec

For IPsec, you create a forwarding (IP) type of virtual server to intercept IP traffic and direct it over the tunnel. With a forwarding (IP) virtual server, destination address translation and port translation are disabled.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Forwarding (IP)
    .
  5. In the
    Destination Address
    field, type a wildcard network address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6, to accept any traffic.
  6. From the
    Service Port
    list, select
    *All Ports
    .
  7. From the
    Protocol
    list, select
    *All Protocols
    .
  8. From the
    VLAN and Tunnel Traffic
    list, retain the default selection,
    All VLANs and Tunnels
    .
  9. Click
    Finished
    .

Creating a custom IPsec policy

You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (
default-ipsec-policy
or
default-ipsec-policy-isession
). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
You must also configure the device at the other end of the IPsec tunnel.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. Click the
    Create
    button.
    The New Policy screen opens.
  3. In the
    Name
    field, type a unique name for the policy.
  4. In the
    Description
    field, type a brief description of the policy.
  5. For the
    IPsec Protocol
    setting, retain the default selection,
    ESP
    .
  6. From the
    Mode
    list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  7. In the
    Tunnel Local Address
    field, type the local IP address of the system you are configuring.
    For example, the tunnel local IP address for BIG-IP A is
    2.2.2.2
    .
  8. In the
    Tunnel Remote Address
    field, type the IP address that is remote to the system you are configuring.
    This address must match the
    Remote Address
    setting for the relevant IKE peer.
    For example, the tunnel remote IP address configured on BIG-IP A is the IP address of Router B, which is
    3.3.3.3
    .
  9. For the IKE Phase 2 area, retain the default values, or select the options that are appropriate for your deployment.
    The values you select must match the IKE Phase 2 settings on the remote device.
    Setting
    Options
    Authentication Algorithm


    SHA-1


    AES-GCM128 (default)


    AES-GCM192


    AES-GCM256


    AES-GMAC128


    AES-GMAC192


    AES-GMAC256

    Encryption Algorithm


    AES-GCM128 (default)

    Perfect Forward Secrecy


    MODP768


    MODP1024 (default)


    MODP1536


    MODP2048


    MODP3072


    MODP4096


    MODP6144


    MODP8192

    Lifetime
    Length of time, in minutes, before the IKE security association expires.
  10. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.

Creating a bidirectional IPsec traffic selector

The traffic selector you create filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
You must also configure the device at the other end of the IPsec tunnel.
  1. On the Main tab, click
    Network
    IPsec
    Traffic Selectors
    .
  2. Click
    Create
    .
    The New Traffic Selector screen opens.
  3. In the
    Name
    field, type a unique name for the traffic selector.
  4. In the
    Description
    field, type a brief description of the traffic selector.
  5. For the
    Order
    setting, retain the default value (
    First
    ).
    This setting specifies the order in which the traffic selector appears on the Traffic Selector List screen.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. For the
    Source IP Address
    setting, click
    Host
    or
    Network
    , and in the
    Address
    field, type an IP address.
    This IP address should be the host or network address from which the application traffic originates.
    This table shows sample source IP addresses for BIG-IP A and Router B.
    System Name
    Source IP Address
    BIG-IP A
    1.1.1.0/24
    Router B
    4.4.4.0/24
  8. From the
    Source Port
    list, select the source port for which you want to filter traffic, or retain the default value
    *All Ports
    .
  9. For the
    Destination IP Address
    setting, click
    Host
    , and in the
    Address
    field, type an IP address.
    This IP address should be the final host or network address to which the application traffic is destined.
    This table shows sample destination IP addresses for BIG-IP A and Router B.
    System Name
    Destination IP Address
    BIG-IP A
    4.4.4.0/24
    Router B
    1.1.1.0/24
  10. From the
    Destination Port
    list, select the destination port for which you want to filter traffic, or retain the default value
    * All Ports
    .
  11. From the
    Protocol
    list, select the protocol for which you want to filter traffic.
    You can select
    * All Protocols
    ,
    TCP
    ,
    UDP
    ,
    ICMP
    , or
    Other
    . If you select
    Other
    , you must type a protocol name.
  12. From the
    Direction
    list, select
    Both
    .
  13. From the
    Action
    list, select
    Protect
    .
    The
    IPsec Policy Name
    setting appears.
  14. From the
    IPsec Policy Name
    list, select the name of the custom IPsec policy that you created.
  15. Click
    Finished
    .
    The screen refreshes and displays the new IPsec traffic selector in the list.

Creating an IKE peer

The IKE peer object identifies to the system you are configuring the other device with which it communicates during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation.
You must also configure the device at the other end of the IPsec tunnel.
  1. On the Main tab, click
    Network
    IPsec
    IKE Peers
    .
  2. Click the
    Create
    button.
    The New IKE Peer screen opens.
  3. In the
    Name
    field, type a unique name for the IKE peer.
  4. In the
    Description
    field, type a brief description of the IKE peer.
  5. In the
    Remote Address
    field, type the IP address of the device that is remote to the system you are configuring.
    This address must match the value of the
    Tunnel Remote Address
    setting in the relevant IPsec policy.
  6. For the
    State
    setting, retain the default value,
    Enabled
    .
  7. For the IKE Phase 1 Algorithms area, retain the default values, or select the options that are appropriate for your deployment.
    The values you select must match the IKE Phase 1 settings on the remote device.
    Setting
    Options
    Authentication Algorithm


    MD5


    SHA-1 (default)


    SHA-256


    SHA-384


    SHA-512

    Encryption Algorithm


    DES


    3 DES (default)


    BLOWFISH


    CAST128


    AES


    CAMELLIA

    Perfect Forward Secrecy


    MODP768


    MODP1024 (default)


    MODP1536


    MODP2048


    MODP3072


    MODP4096


    MODP6144


    MODP8192

    Lifetime
    Length of time, in minutes, before the IKE security association expires.
  8. In the IKE Phase 1 Credentials area, for the
    Authentication Method
    setting, select the option appropriate for your deployment.
    • If you select
      RSA Signature
      (default), the
      Certificate
      ,
      Key
      , and
      Verify Peer Certificate
      settings are available. If you have your own certificate file, key file, and certificate authority (CA), F5 recommends, for security purposes, that you specify these files in the appropriate fields. To reveal all these fields, select the
      Verify Peer Certificate
      check box. If you retain the default settings, leave the check box cleared.
      If you select the check box, you must provide a certificate file, key, and certificate authority.
      This option is available only for IKEv1.
    • If you select
      Preshared Key
      , type the key in the
      Preshared Key
      field that becomes available.
    The key you type must be the same at both ends of the tunnel.
  9. For the Common Settings area, retain all default values.
  10. Click
    Finished
    .
    The screen refreshes and displays the new IKE peer in the list.
You now have an IKE peer defined for establishing a secure channel.

Verifying IPsec connectivity for Tunnel mode

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Only data traffic matching the traffic selector triggers the establishment of the tunnel.
  1. Access the
    tmsh
    command-line utility.
  2. Before sending traffic, type this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level debug
    This command increases the logging level to display the messages that you want to view.
  3. Send data traffic to the destination IP address specified in the traffic selector.
  4. For an IKEv1 configuration, check the IKE Phase 1 negotiation status by typing this command at the prompt.
    racoonctl -l show-sa isakmp
    This example shows a result of the command.
    Destination
    is the tunnel remote IP address.
    Destination Cookies ST S V E Created Phase2 165.160.15.20.500 98993e6 . . . 22c87f1 9 I 10 M 2012-06-27 16:51:19 1
    This table shows the legend for interpreting the result.
    Column
    Displayed
    Description
    ST (Tunnel Status)
    1
    Start Phase 1 negotiation
    2
    msg 1 received
    3
    msg 1 sent
    4
    msg 2 received
    5
    msg 2 sent
    6
    msg 3 received
    7
    msg 3 sent
    8
    msg 4 received
    9
    isakmp tunnel established
    10
    isakmp tunnel expired
    S
    I
    Initiator
    R
    Responder
    V (Version Number)
    10
    ISAKMP version 1.0
    E (Exchange Mode)
    M
    Main (Identity Protection)
    A
    Aggressive
    Phase2
    <n>
    Number of Phase 2 tunnels negotiated with this IKE peer
  5. For an IKEv1 configuration, check the IKE Phase 2 negotiation status by typing this command at the prompt.
    racoonctl -ll show-sa internal
    This example shows a result of this command.
    Source
    is the tunnel local IP address.
    Destination
    is the tunnel remote IP address.
    Source Destination Status Side 10.100.20.3 165.160.15.20 sa established [R]
    This table shows the legend for interpreting the result.
    Column
    Displayed
    Side
    I (Initiator)
    R (Responder)
    Status
    init
    start
    acquire
    getspi sent
    getspi done
    1st msg sent
    1st msg recvd
    commit bit
    sa added
    sa established
    sa expired
  6. To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa
    For each tunnel, the output displays IP addresses for two IPsec SAs, one for each direction, as shown in the example.
    IPsec::SecurityAssociations 10.100.20.3 -> 165.160.15.20 SPI(0x7b438626) in esp (tmm: 6) 165.160.15.20 -> 10.100.20.3 SPI(0x5e52a1db) out esp (tmm: 5)
  7. To display the details of the dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa all-properties
    For each tunnel, the output displays the details for the IPsec SAs, as shown in the example.
    IPsec::SecurityAssociations 165.160.15.20 -> 10.100.20.3 ----------------------------------------------------------------------------- tmm: 2 Direction: out; SPI: 0x6be3ff01(1810104065); ReqID: 0x9b0a(39690) Protocol: esp; Mode: tunnel; State: mature Authenticated Encryption : aes-gmac128 Current Usage: 307488 bytes Hard lifetime: 94 seconds; unlimited bytes Soft lifetime: 34 seconds; unlimited bytes Replay window size: 64 Last use: 12/13/2012:10:42 Create: 12/13/2012:10:39
  8. To display the details of the IKE-negotiated SAs (IKEv2), type this command at the prompt.
    tmsh show net ipsec ike-sa all-properties
  9. To filter the Security Associations (SAs) by traffic selector, type this command at the prompt.
    tmsh show net ipsec ipsec-sa traffic-selector ts_codec
    You can also filter by other parameters, such as SPI (
    spi
    ), source address (
    src_addr
    ), or destination address (
    dst_addr
    )
    The output displays the IPsec SAs that area associated with the traffic selector specified, as shown in the example.
    IPsec::SecurityAssociations 10.100.115.12 -> 10.100.15.132 SPI(0x2211c0a9) in esp (tmm: 0) 10.100.15.132 -> 10.100.115.12 SPI(0x932e0c44) out esp (tmm: 2)
  10. Check the IPsec stats by typing this command at the prompt.
    tmsh show net ipsec-stat
    If traffic is passing through the IPsec tunnel, the stats will increment.
    ------------------------------------------------------------------- Net::Ipsec Cmd Id Mode Packets In Bytes In Packets Out Bytes Out ------------------------------------------------------------------- 0 TRANSPORT 0 0 0 0 0 TRANSPORT 0 0 0 0 0 TUNNEL 0 0 0 0 0 TUNNEL 0 0 0 0 1 TUNNEL 353.9K 252.4M 24.9K 1.8M 2 TUNNEL 117.9K 41.0M 163.3K 12.4M
  11. If the SAs are established, but traffic is not passing, type one of these commands at the prompt.


    tmsh delete net ipsec ipsec-sa (IKEv1)


    tmsh delete net ipsec ike-sa (IKEv2)

    This action deletes the IPsec tunnels. Sending new traffic triggers SA negotiation and establishment.
  12. If traffic is still not passing, type this command at the prompt.
    racoonctl flush-sa isakmp
    This action brings down the control channel. Sending new traffic triggers SA negotiation and establishment.
  13. View the
    /var/log/racoon.log
    to verify that the IPsec tunnel is up.
    These lines are examples of the messages you are looking for.
    2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
  14. To turn on IKEv2 logging on a production build, complete these steps.
    If you are using IKEv2, you can skip these steps; the BIG-IP system enables IPsec logging by default.
    1. Configure the log publisher for IPsec to use.
      % tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} % tmsh list sys log-config publisher ipsec sys log-config publisher ipsec { destinations { local-syslog { } } }
    2. Attach the log publisher to the
      ike-daemon
      object.
      tmsh modify net ipsec ike-daemon ikedaemon log-publisher ipsec
  15. For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
    Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.
    Using this command flushes existing SAs.
  16. After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level info
    Using this command flushes existing SAs.

Implementation result

You now have an IPsec tunnel for securing traffic that traverses the WAN, from one BIG-IP® system to another.