Manual Chapter : Securing EtherIP Tunnel Traffic with IPsec

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Securing EtherIP Tunnel Traffic with IPsec

Overview: Securing EtherIP tunnel traffic with IPsec

You can use the IPsec protocol to secure EtherIP tunnel traffic that is undergoing live migration across a wide area network (WAN) using VMware vMotion. The EtherIP tunnel preserves any existing connections between the BIG-IP® system and a virtual machine while the virtual machine migrates to another data center. Adding IPsec to this configuration involves adding an IPsec traffic selector on each side of the IPsec tunnel. Those traffic selectors have the same source and destination IP addresses as the EtherIP tunnel.
Perform these tasks on the BIG-IP system in both the local data center and the remote data center.

Task List

Creating a VLAN

VLANs
represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type a unique name for the VLAN.
  4. In the
    Tag
    field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
    setting to perform the following two steps. If you do not see the
    Customer Tag
    setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
      list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
    setting,
    1. From the
      Interface
      list, select an interface number.
    2. From the
      Tagging
      list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  9. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.

Creating an EtherIP tunnel object

Before you perform this task, you must know the self IP address of the instance of the VLAN that exists, or will exist, on the BIG-IP system in the other data center.
The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to enable the BIG-IP system to preserve any current connections to a server that is using VMware vMotion for migration to another data center.
  1. On the Main tab, click
    Network
    Tunnels
    Tunnel List
    Create
    .
    The New Tunnel screen opens.
  2. In the
    Name
    field, type a unique name for the tunnel.
  3. From the
    Profile
    list, select
    etherip
    .
  4. In the
    Local Address
    field, type the self IP address of the local BIG-IP system.
  5. In the
    Remote Address
    field, type the self IP address of the remote BIG-IP system.
  6. If the BIG-IP system is part of an HA cluster, select the corresponding traffic group from the
    Traffic Group
    list.
  7. Click
    Finished
    .

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click
    Network
    VLANs
    VLAN Groups
    .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click
    Create
    .
    The New VLAN Group screen opens.
  4. In the General Properties area, in the
    VLAN Group
    field, type a unique name for the VLAN group.
  5. For the
    VLANs
    setting, from the
    Available
    field select the
    internal
    and
    external
    VLAN names, and click
    <<
    to move the VLAN names to the
    Members
    field.
  6. Click
    Finished
    .

Creating a self IP address

Before you create a self IP address, ensure that you have created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    Name
    field, type a unique name for the self IP address.
  4. In the
    IP Address
    field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the
    VLAN/Tunnel
    setting.
  5. In the
    Netmask
    field, type the full network mask for the specified IP address.
  6. From the
    VLAN/Tunnel
    list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the
    Port Lockdown
    list, select
    Allow Default
    .
  8. For the
    Traffic Group
    setting, choose one of the following actions:
    Action
    Result
    Retain the default setting,
    traffic-group-local-only (non-floating)
    .
    The system creates a non-floating self IP address that becomes a member of
    traffic-group-local-only
    .
    Select the check box labeled
    Inherit traffic group from current partition / path
    .
    The system creates a floating self IP address that becomes a member of
    traffic-group-1
    .
    Select a traffic group from the
    Traffic Group
    list.
    The system creates a floating self IP address that becomes a member of the selected traffic group.
  9. From the
    Service Policy
    list, retain the default value of
    None
    , or select a policy to associate with the self IP address.
    A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
  10. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. If the self IP address is member of a floating traffic group and you configure the system for redundancy, the self IP address can fail over to another device group member if necessary.
After creating the self IP address, ensure that you repeat this task to create as many self IP addresses as needed.

Creating a self IP for a VLAN group

Before you create a self IP address, ensure that you have created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    IP Address
    field, type a self IP address for the VLAN group. In the example shown, this IP address is
    10.0.0.6
    .
  4. In the
    Netmask
    field, type the network mask for the specified IP address.
    For example, you can type
    255.255.255.0
    .
  5. From the
    VLAN/Tunnel
    list, select the name of the VLAN group you previously created.
  6. From the
    Port Lockdown
    list, select
    Allow Default
    .
  7. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.

Creating a custom IPsec policy for EtherIP tunnel traffic

When you use IPsec to secure EtherIP tunnel traffic, you must create a custom IPsec policy for the traffic selector to use.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. Click the
    Create
    button.
    The New Policy screen opens.
  3. In the
    Name
    field, type a unique name for the policy.
  4. From the
    Mode
    list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  5. In the
    Tunnel Local Address
    field, type an IP address.
    This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
  6. In the
    Tunnel Remote Address
    field, type an IP address.
    This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
  7. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.

Creating an IPsec traffic selector for EtherIP traffic

Before you start this task, make sure that you have created a custom IPsec policy to use with this traffic selector.
When you use IPsec to secure EtherIP tunnel traffic, you must create an IPsec traffic selector at each end of the IPsec tunnel to capture the EtherIP traffic.
  1. On the Main tab, click
    Network
    IPsec
    Traffic Selectors
    .
  2. Click
    Create
    .
    The New Traffic Selector screen opens.
  3. In the
    Name
    field, type a unique name for the traffic selector.
  4. For the
    Source IP Address or CIDR
    setting, type an IP address.
    This IP address must match the IP address specified for the
    Tunnel Local Address
    in the selected IPsec policy.
  5. For the
    Destination IP Address or CIDR
    setting, type an IP address.
    This IP address must match the IP address specified for the
    Tunnel Remote Address
    in the selected IPsec policy.
  6. From the
    Protocol
    list, select
    Other
    , and type
    97
    the EtherIP protocol number.
  7. From the
    IPsec Policy Name
    list, select the name of the custom IPsec policy that you created.
  8. Click
    Finished
    .
    The screen refreshes and displays the new IPsec traffic selector in the list.

Implementation result

After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configuration procedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.
After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated) virtual machine servers.