F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Configuring IPsec in Tunnel Mode between a Remote Device and BIG-IP using Dynamic Template
  4. About IP macro attribute in dynamic template
Manual Chapter : About IP macro attribute in dynamic template

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP Link Controller

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP LTM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP AFM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP ASM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0
Manual Chapter

About IP macro attribute in dynamic template

The
ip-macro
 attribute distinguishes an IKE peer as a dynamic template. Each IKE peer requires a dedicated traffic-selector and IPsec policy. The
ip-macro
 attribute in IKE peer means the triple:
ike-peer
,
traffic-selector
, and
ipsec-policy
 is a template.
Variables within
ip-macro
 allow configuration generalization by replacing placeholder values. The
ip-macro
 attribute has up to three placeholder values:
peer-ip
,
peer-port
, and/or
dynamic-ip
. For all three, the values act as variables. Wherever placeholder values for these appear in configuration, they will be replaced with the actual values when a tunnel is negotiated. For example, the
peer's IP address
 can be represented as a Martian IP address (from subnet 192.0.2.x) which acts as a variable. When
peer-ip=192.0.2.1
 appears inside
ip-macro
, this means 192.0.2.1 is a variable that acts as a placeholder for the
actual peer IP address
 seen at negotiation time. During IKE negotiation, configuration will be generated that replaces the 192.0.2.1 with the
peer's actual IP address
. The notation in
ip-macro
 declares the variables.
The schema requires an IP address, so a Martian IP address like 192.0.2.1 is used to satisfy the syntax requirements. This approach avoids using the
<peer-ip>
 variable, which would be considered invalid in terms of syntax.
Following are examples for attribute
ip-macro
:
net ipsec ike-peer <peer-name> {
    ...
    ip-macro="peer-ip=192.0.2.1 peer-port=234"
    peers-id-value 192.0.2.1
    my-id-value <BIG-IP address>	
    remote-address 192.0.2.1
    ...
}

net ipsec ike-peer <peer-name> {
    ...
    ip-macro="peer-ip=192.0.2.1 peer-port=234 dynamic-ip=192.0.2.13"
    remote-port 234
    address-list '<IP address list value>'
    peers-id-value 192.0.2.1
    my-id-value <BIG-IP address>
    remote-address 192.0.2.1
    ...
}
The Presented ID Value (my-id-value) and the Verified ID Value (peers-id-value) settings are mandatory configuration elements for IKEv2 tunnels. Configure these settings to maintain reliable IPsec connectivity between a BIG-IP system and a remote device.
The value of
peer-ip
 inside
ip-macro
 defines the IP address that acts as a placeholder for a remote peer's IP address. For example, if the
peer-ip
 is
192.0.2.1
, then everywhere
192.0.2.1
 appears, the system replaces this with the
remote peer's actual IP address
 which acts as the tunnel remote endpoint address.
The
peer-ip
 can be any IP address from the Martian IP addresses in the
192.0.2.x
 subnet, as these addresses will never be used by real devices and the subnet is reserved for example documentation only.
The
remote-port
 variable is used to specify the remote peer's port number, the template value declares
234
 as a placeholder for the actual
peer-port
. The
peer-port
 is useful for NAT when more than one remote peer can appear behind the same firewall IP address. The actual source port number is substituted where
234
 appears as the value of a port.
The
peer-port
 can be any value from the reserved port numbers. According to IANA port number assignments, ports
225
 to
241
 are reserved and therefore can be used as dummy placeholder values.
The
dynamic-ip
 variable is only used when the remote peer requests for an allocated IP address. This variable is a prediction that the remote peer will always request for an allocated IP, which will get allocated from the
address-list
 attribute in the IKE peer.
If the
peer-ip
 is
192.0.2.1
,
dynamic-ip
 is
192.0.2.13
, and
peer-port
 is
234
, then
192.0.2.1
 is a placeholder variable for the peer's actual IP address,
192.0.2.13
 is a placeholder variable for an IP address allocated by the BIG-IP from an address pool, and
234
 is a placeholder value for the peer's actual port number.
Use the
destination-ip
 placeholder in a traffic selector to protect traffic through a tunnel using an allocated address. The following conditions must be met:
  • The remote peer intends to use an allocated address for traffic protected by a tunnel.
  • The IKE peer has an
    address-list
     attribute to define an address pool for IP allocation.
  • The IKE peer has an
    ip-macro
     that declares a
    dynamic-ip
     variable like
    192.0.2.13
    .
    It is recommended to only use
    192.0.2.13
     for dynamic IP address.
When all these conditions are met, the IKE peer will allocate an IP address from the address pool defined in
address-list
, and substitute that address for the placeholder value wherever it appears.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information