Manual Chapter : Configuring IPsec Using Manually Keyed Security Associations

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Configuring IPsec Using Manually Keyed Security Associations

Overview: Configuring IPsec using manually keyed security associations

You can configure an IPsec tunnel when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP ®system to another. Typically, you would use the Internet Key Exchange (IKE) protocol to negotiate the secure channel between the two systems. If you choose not to use IKE, you must create manual security associations for IPsec security. A
manual security association
statically defines the specific attribute values that IPsec should use for the authentication and encryption of data flowing through the tunnel.
Illustration of an IPsec deployment
IPsec manual security association deployment illustration
The implementation of the IPsec protocol suite using manually keyed security associations consists of these components:
IPsec policy
An
IPsec policy
is a set of information that defines the specific IPsec protocol to use (ESP or AH), and the mode (Transport, Tunnel, or iSession®). For Tunnel mode, the policy also specifies the endpoints for the tunnel. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets.
Manual security association
A
manual security association
is set of information that the IPsec protocol uses to authenticate and encrypt application traffic.
When you manually create a security association instead of using IKE, the peer systems do not negotiate these attributes. Peers can communicate only when they share the same configured attributes.
Traffic selector
A
traffic selector
is a packet filter that defines what traffic should be handled by a IPsec policy. You define the traffic by source and destination IP addresses and port numbers.

About IPsec Tunnel mode

Tunnel mode
causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.

Task summary to configure an IPsec tunnel to secure traffic that traverses a WAN

You can configure an IPsec tunnel to secure traffic that traverses a wide area network (WAN), such as from one BIG-IP® system to another.
Before you begin configuring IPsec, verify that these modules, system objects, and connectivity exist on the BIG-IP systems in both the local and remote locations:
BIG-IP Local Traffic Manager
This module directs traffic securely and efficiently to the appropriate destination on a network.
Self IP address
Each BIG-IP system must have at least one self IP address, to be used in specifying the ends of the IPsec tunnel.
The default VLANs
These VLANs are named
external
and
internal
.
BIG-IP system connectivity
Verify the connectivity between the client or server and its BIG-IP device, and between each BIG-IP device and its gateway. For example, you can use
ping
to test this connectivity.

Task list

Creating a forwarding virtual server for IPsec

For IPsec, you create a forwarding (IP) type of virtual server to intercept IP traffic and direct it over the tunnel. With a forwarding (IP) virtual server, destination address translation and port translation are disabled.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Forwarding (IP)
    .
  5. In the
    Destination Address/Mask
    field, type a wildcard network address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6, to accept any traffic.
  6. From the
    Service Port
    list, select
    *All Ports
    .
  7. From the
    Protocol
    list, select
    *All Protocols
    .
  8. From the
    VLAN and Tunnel Traffic
    list, retain the default selection,
    All VLANs and Tunnels
    .
  9. Click
    Finished
    .

Creating custom IPsec policies for manual security associations

When you are using manual security associations for an IPsec tunnel between two BIG-IP systems, you must create two custom IPsec policies on each system, one to use for outbound traffic and the other for inbound traffic. You establish the directionality of a policy by associating it with a unidirectional traffic selector.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. Click the
    Create
    button.
    The New Policy screen opens.
  3. In the
    Name
    field, type a unique name for the policy.
  4. For the
    IPsec Protocol
    setting, retain the default selection,
    ESP
    .
  5. From the
    Mode
    list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  6. In the
    Tunnel Local Address
    field, type the IP address of the BIG-IP system that initiates the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the local BIG-IP system. For the inbound policy, this is the IP address of the remote BIG-IP system.
    This table shows sample outbound and inbound tunnel local addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Local Address
    BIG-IP A
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
    BIG-IP B
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
  7. In the
    Tunnel Remote Address
    field, type the IP address of the BIG-IP system that receives the traffic.
    To specify a route domain ID in an IP address, use the format n.n.n.n%ID.
    When you use IKEv1, the BIG-IP system supports a maximum of 512 route domains.
    For the outbound policy, this is the IP address of the remote BIG-IP system. For the inbound policy, this is the IP address of the local BIG-IP system.
    This table shows sample outbound and inbound tunnel remote addresses configured on BIG-IP A and BIG-IP B.
    System Name
    Traffic Direction
    Tunnel Remote Address
    BIG-IP A
    Outbound
    3.3.3.3
    Inbound
    2.2.2.2
    BIG-IP B
    Outbound
    2.2.2.2
    Inbound
    3.3.3.3
  8. For the
    Authentication Algorithm
    setting, retain the default value, or select the algorithm appropriate for your deployment.
  9. For the
    Encryption Algorithm
    setting, retain the default value, or select the algorithm appropriate for your deployment.
  10. For the
    Perfect Forward Secrecy
    setting, select the option appropriate for your deployment.
  11. For the
    IPComp
    setting, specify whether to use IPComp encapsulation, which performs packet-level compression before encryption:
    • Retain the default value
      None
      , if you do not want to enable packet-level compression before encryption.
    • Select
      DEFLATE
      to enable packet-level compression before encryption.
  12. For the
    Lifetime
    setting, retain the default value,
    1440
    .
    This is the length of time (in minutes) before the current security association expires.
  13. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.
  14. Repeat this task for outbound and inbound traffic policies on both the local and remote BIG-IP systems.
When you are finished, you should have created four separate IPsec policies, two on each system.

Manually creating IPsec security associations for inbound and outbound traffic

Before you start this task, you need to create two custom IPsec policies on the BIG-IP system, one for outbound traffic and another for inbound traffic.
You can manually create security associations to specify the security attributes for a given IPsec communication session. For the manual configuration, you need to create two manual security associations for each connection, one for outbound traffic and the other for inbound traffic.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    Manual Security Associations
    .
  2. Click the
    Create
    button.
    The New Security Association screen opens.
  3. In the
    Name
    field, type a unique name for the security association.
  4. In the
    Description
    field, type a brief description of the security setting.
  5. In the
    SPI
    field, type a unique number for the security parameter index.
    This number must be an integer between 256 and 4294967296.
  6. In the
    Source Address
    field, type the source IP address.
    This IP address must match the IP address specified for the
    Tunnel Local Address
    in the selected IPsec policy.
  7. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    This IP address must match the IP address specified for the
    Tunnel Remote Address
    in the selected IPsec policy.
  8. In the
    Authentication Key
    field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  9. From the
    Encryption Algorithm
    list, select the algorithm appropriate to your deployment.
  10. In the
    Encryption Key
    field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  11. From the
    IPsec Policy Name
    list, select an IPsec policy.
    • For the outbound security association, select the IPsec policy you created for outbound traffic.
    • For the inbound security association, select the IPsec policy you created for inbound traffic.
  12. Repeat this task for security associations that handle outbound and inbound traffic on both the local and remote BIG-IP systems.
When you are finished, you should have manually created four separate security associations, two on each system.

Creating IPsec traffic selectors for manually keyed security associations

Before you start this task, you need to create two custom IPsec policies on the BIG-IP system, one for outbound traffic and another for inbound traffic.
You can use this procedure to create IPsec traffic selectors that reference custom IPsec policies for unidirectional traffic in an IPsec tunnel for which you have manually keyed security associations. You need to create two traffic selectors on each BIG-IP system, one for outbound traffic and the other for inbound traffic. Each
traffic selector
you create filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    Traffic Selectors
    .
  2. Click
    Create
    .
    The New Traffic Selector screen opens.
  3. In the
    Name
    field, type a unique name for the traffic selector.
  4. In the
    Description
    field, type a brief description of the traffic selector.
  5. From the
    Configuration
    list, select
    Advanced
    .
  6. For the
    Source IP Address or CIDR
    setting, type an IP address.
    This IP address must match the IP address specified for the
    Tunnel Local Address
    in the selected IPsec policy.
  7. From the
    Source Port
    list, select the source port for which you want to filter traffic, or retain the default value
    *All Ports
    .
  8. For the
    Destination IP Address or CIDR
    setting, type an IP address.
    This IP address must match the IP address specified for the
    Tunnel Remote Address
    in the selected IPsec policy.
  9. From the
    Destination Port
    list, select the destination port for which you want to filter traffic, or retain the default value
    * All Ports
    .
  10. From the
    Protocol
    list, select the protocol for which you want to filter traffic.
    You can select
    * All Protocols
    ,
    TCP
    ,
    UDP
    ,
    ICMP
    , or
    Other
    . If you select
    Other
    , you must type a protocol name.
  11. From the
    Direction
    list, select
    Out
    or
    In
    , depending on whether this traffic selector is for outbound or inbound traffic.
  12. From the
    IPsec Policy Name
    list, select an IPsec policy.
    • For the outbound traffic selector, select the IPsec policy you created for outbound traffic.
    • For the inbound traffic selector, select the IPsec policy you created for inbound traffic.
  13. Click
    Finished
    .
    The screen refreshes and displays the new IPsec traffic selector in the list.
  14. Repeat this task for traffic selectors that handle outbound and inbound traffic on both the local and remote BIG-IP systems.
When you are finished, you should have manually created four separate traffic selectors, two on each system.

Verifying IPsec connectivity for Tunnel mode

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Only data traffic matching the traffic selector triggers the establishment of the tunnel.
  1. Access the
    tmsh
    command-line utility.
  2. Before sending traffic, type this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level debug
    This command increases the logging level to display the messages that you want to view.
  3. Send data traffic to the destination IP address specified in the traffic selector.
  4. For an IKEv1 configuration, check the IKE Phase 1 negotiation status by typing this command at the prompt.
    racoonctl -l show-sa isakmp
    This example shows a result of the command.
    Destination
    is the tunnel remote IP address.
    Destination Cookies ST S V E Created Phase2 165.160.15.20.500 98993e6 . . . 22c87f1 9 I 10 M 2012-06-27 16:51:19 1
    This table shows the legend for interpreting the result.
    Column
    Displayed
    Description
    ST (Tunnel Status)
    1
    Start Phase 1 negotiation
    2
    msg 1 received
    3
    msg 1 sent
    4
    msg 2 received
    5
    msg 2 sent
    6
    msg 3 received
    7
    msg 3 sent
    8
    msg 4 received
    9
    isakmp tunnel established
    10
    isakmp tunnel expired
    S
    I
    Initiator
    R
    Responder
    V (Version Number)
    10
    ISAKMP version 1.0
    E (Exchange Mode)
    M
    Main (Identity Protection)
    A
    Aggressive
    Phase2
    <n>
    Number of Phase 2 tunnels negotiated with this IKE peer
  5. For an IKEv1 configuration, check the IKE Phase 2 negotiation status by typing this command at the prompt.
    racoonctl -ll show-sa internal
    This example shows a result of this command.
    Source
    is the tunnel local IP address.
    Destination
    is the tunnel remote IP address.
    Source Destination Status Side 10.100.20.3 165.160.15.20 sa established [R]
    This table shows the legend for interpreting the result.
    Column
    Displayed
    Side
    I (Initiator)
    R (Responder)
    Status
    init
    start
    acquire
    getspi sent
    getspi done
    1st msg sent
    1st msg recvd
    commit bit
    sa added
    sa established
    sa expired
  6. To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa
    For each tunnel, the output displays IP addresses for two IPsec SAs, one for each direction, as shown in the example.
    IPsec::SecurityAssociations 10.100.20.3 -> 165.160.15.20 SPI(0x7b438626) in esp (tmm: 6) 165.160.15.20 -> 10.100.20.3 SPI(0x5e52a1db) out esp (tmm: 5)
  7. To display the details of the dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa all-properties
    For each tunnel, the output displays the details for the IPsec SAs, as shown in the example.
    IPsec::SecurityAssociations 165.160.15.20 -> 10.100.20.3 ----------------------------------------------------------------------------- tmm: 2 Direction: out; SPI: 0x6be3ff01(1810104065); ReqID: 0x9b0a(39690) Protocol: esp; Mode: tunnel; State: mature Authenticated Encryption : aes-gmac128 Current Usage: 307488 bytes Hard lifetime: 94 seconds; unlimited bytes Soft lifetime: 34 seconds; unlimited bytes Replay window size: 64 Last use: 12/13/2012:10:42 Create: 12/13/2012:10:39
  8. To display the details of the IKE-negotiated SAs (IKEv2), type this command at the prompt.
    tmsh show net ipsec ike-sa all-properties
  9. To filter the Security Associations (SAs) by traffic selector, type this command at the prompt.
    tmsh show net ipsec ipsec-sa traffic-selector ts_codec
    You can also filter by other parameters, such as SPI (
    spi
    ), source address (
    src_addr
    ), or destination address (
    dst_addr
    )
    The output displays the IPsec SAs that area associated with the traffic selector specified, as shown in the example.
    IPsec::SecurityAssociations 10.100.115.12 -> 10.100.15.132 SPI(0x2211c0a9) in esp (tmm: 0) 10.100.15.132 -> 10.100.115.12 SPI(0x932e0c44) out esp (tmm: 2)
  10. Check the IPsec stats by typing this command at the prompt.
    tmsh show net ipsec-stat
    If traffic is passing through the IPsec tunnel, the stats will increment.
    ------------------------------------------------------------------- Net::Ipsec Cmd Id Mode Packets In Bytes In Packets Out Bytes Out ------------------------------------------------------------------- 0 TRANSPORT 0 0 0 0 0 TRANSPORT 0 0 0 0 0 TUNNEL 0 0 0 0 0 TUNNEL 0 0 0 0 1 TUNNEL 353.9K 252.4M 24.9K 1.8M 2 TUNNEL 117.9K 41.0M 163.3K 12.4M
  11. If the SAs are established, but traffic is not passing, type one of these commands at the prompt.


    tmsh delete net ipsec ipsec-sa (IKEv1)


    tmsh delete net ipsec ike-sa (IKEv2)

    This action deletes the IPsec tunnels. Sending new traffic triggers SA negotiation and establishment.
  12. If traffic is still not passing, type this command at the prompt.
    racoonctl flush-sa isakmp
    This action brings down the control channel. Sending new traffic triggers SA negotiation and establishment.
  13. View the
    /var/log/racoon.log
    to verify that the IPsec tunnel is up.
    These lines are examples of the messages you are looking for.
    2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
  14. To turn on IKEv2 logging on a production build, complete these steps.
    If you are using IKEv2, you can skip these steps; the BIG-IP system enables IPsec logging by default.
    1. Configure the log publisher for IPsec to use.
      % tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} % tmsh list sys log-config publisher ipsec sys log-config publisher ipsec { destinations { local-syslog { } } }
    2. Attach the log publisher to the
      ike-daemon
      object.
      tmsh modify net ipsec ike-daemon ikedaemon log-publisher ipsec
  15. For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
    Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.
    Using this command flushes existing SAs.
  16. After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level info
    Using this command flushes existing SAs.