Manual Chapter :
Securing EtherIP Tunnel Traffic with IPsec
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Securing EtherIP Tunnel Traffic with IPsec
Overview: Securing EtherIP tunnel traffic with IPsec
You can use the IPsec protocol to secure EtherIP tunnel traffic that is undergoing live
migration across a wide area network (WAN) using VMware vMotion. The EtherIP tunnel preserves any
existing connections between the BIG-IP® system and a virtual machine while
the virtual machine migrates to another data center. Adding IPsec to this configuration involves
adding an IPsec traffic selector on each side of the IPsec tunnel. Those traffic selectors have
the same source and destination IP addresses as the EtherIP tunnel.
Perform these tasks on the BIG-IP system in both the local data center and
the remote data center.
Task List
Creating a VLAN
VLANs
represent a logical collection of hosts that
can share network resources, regardless of their physical location on the network. You
create a VLAN to associate physical interfaces with that VLAN.- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.The New VLAN screen opens.
- In theNamefield, type a unique name for the VLAN.
- In theTagfield, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.The VLAN tag identifies the traffic from hosts in the associated VLAN.
- If you want to use Q-in-Q (double) tagging, use theCustomer Tagsetting to perform the following two steps. If you do not see theCustomer Tagsetting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
- From theCustomer Taglist, selectSpecify.
- Type a numeric tag, from 1-4094, for the VLAN.
The customer tag specifies the inner tag of any frame passing through the VLAN. - For theInterfacessetting,
- From theInterfacelist, select an interface number.
- From theTagginglist, selectUntagged.
- ClickAdd.
- For theHardware SYN Cookiesetting, select or clear the check box.When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
- For theSyncache Thresholdsetting, retain the default value or change it to suit your needs.TheSyncache Thresholdvalue represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.When theHardware SYN Cookiesetting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
- The number of TCP half-open connections defined in the LTM settingGlobal SYN Check Thresholdis reached.
- The number of SYN flood packets defined in thisSyncache Thresholdsetting is reached.
- For theSYN Flood Rate Limitsetting, retain the default value or change it to suit your needs.TheSYN Flood Rate Limitvalue represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
- ClickFinished.The screen refreshes, and it displays the new VLAN in the list.
Creating an EtherIP tunnel object
Before you perform this task, you must know the self IP address of the instance of
the VLAN that exists, or will exist, on the BIG-IP system in the
other data center.
The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to
enable the BIG-IP system to preserve any current connections to a server that is using
VMware vMotion for migration to another data center.
- On the Main tab, click.The New Tunnel screen opens.
- In theNamefield, type a unique name for the tunnel.
- From theProfilelist, selectetherip.
- In theLocal Addressfield, type the self IP address of the local BIG-IP system.
- In theRemote Addressfield, type the self IP address of the remote BIG-IP system.
- If the BIG-IP system is part of an HA cluster, select the corresponding traffic group from theTraffic Grouplist.
- ClickFinished.
Creating a VLAN group
VLAN groups consolidate Layer 2 traffic from two or
more separate VLANs.
- On the Main tab, click.The VLAN Groups list screen opens.
- From the VLAN Groups menu, choose List.
- ClickCreate.The New VLAN Group screen opens.
- In the General Properties area, in theVLAN Groupfield, type a unique name for the VLAN group.
- For theVLANssetting, from theAvailablefield select theinternalandexternalVLAN names, and click<<to move the VLAN names to theMembersfield.
- ClickFinished.
Creating a self IP address
Before you create a self IP address, ensure that you have
created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic
through the associated VLAN or VLAN group.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type an IPv4 or IPv6 address.This IP address should represent the address space of the VLAN that you specify with theVLAN/Tunnelsetting.
- In theNetmaskfield, type the full network mask for the specified IP address.
- From theVLAN/Tunnellist, select the VLAN to associate with this self IP address.
- On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
- On the external network, select the external VLAN that is associated with an external interface or trunk.
- From thePort Lockdownlist, selectAllow Default.
- For theTraffic Groupsetting, choose one of the following actions:ActionResultRetain the default setting,traffic-group-local-only (non-floating).The system creates a non-floating self IP address that becomes a member oftraffic-group-local-only.Select the check box labeledInherit traffic group from current partition / path.The system creates a floating self IP address that becomes a member oftraffic-group-1.Select a traffic group from theTraffic Grouplist.The system creates a floating self IP address that becomes a member of the selected traffic group.
- From theService Policylist, retain the default value ofNone, or select a policy to associate with the self IP address.A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
- ClickFinished.The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic
through the specified VLAN or VLAN group. If the self IP address is member of a floating
traffic group and you configure the system for redundancy, the self IP address can fail
over to another device group member if necessary.
After creating the self IP address, ensure that you repeat this task to create as many self IP addresses as needed.
Creating a self IP for a VLAN group
Before you create a self IP address, ensure that you have
created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic
through the associated VLAN or VLAN group.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theIP Addressfield, type a self IP address for the VLAN group. In the example shown, this IP address is10.0.0.6.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- From theVLAN/Tunnellist, select the name of the VLAN group you previously created.
- From thePort Lockdownlist, selectAllow Default.
- ClickFinished.The screen refreshes, and displays the new self IP address.
The BIG-IP system can send and receive traffic through
the specified VLAN or VLAN group.
Creating a custom IPsec policy for EtherIP tunnel traffic
When you use IPsec to secure EtherIP tunnel traffic, you must create a custom
IPsec policy for the traffic selector to use.
- On the Main tab, click.
- Click theCreatebutton.The New Policy screen opens.
- In theNamefield, type a unique name for the policy.
- From theModelist, selectTunnel.The screen refreshes to show additional related settings.
- In theTunnel Local Addressfield, type an IP address.This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
- In theTunnel Remote Addressfield, type an IP address.This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
- ClickFinished.The screen refreshes and displays the new IPsec policy in the list.
Creating an IPsec traffic selector for EtherIP traffic
Before you start this task, make sure that you have created a custom IPsec policy to
use with this traffic selector.
When you use IPsec to secure EtherIP tunnel traffic, you must create an IPsec
traffic selector at each end of the IPsec tunnel to capture the EtherIP
traffic.
- On the Main tab, click.
- ClickCreate.The New Traffic Selector screen opens.
- In theNamefield, type a unique name for the traffic selector.
- For theSource IP Address or CIDRsetting, type an IP address.This IP address must match the IP address specified for theTunnel Local Addressin the selected IPsec policy.
- For theDestination IP Address or CIDRsetting, type an IP address.This IP address must match the IP address specified for theTunnel Remote Addressin the selected IPsec policy.
- From theProtocollist, selectOther, and type97the EtherIP protocol number.
- From theIPsec Policy Namelist, select the name of the custom IPsec policy that you created.
- ClickFinished.The screen refreshes and displays the new IPsec traffic selector in the list.
Implementation result
After you configure EtherIP tunneling on the BIG-IP system, you must perform the same
configuration procedure on the BIG-IP system in the remote data center to fully
establish the EtherIP tunnel.
After the tunnel is established, the BIG-IP system preserves any open connections to
migrating (or migrated) virtual machine servers.