F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Configuring IPsec in Tunnel Mode between a Remote Device and BIG-IP using Dynamic Template
  4. Overview: Dynamic template in IKEv2
Manual Chapter : Overview: Dynamic template in IKEv2

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0

BIG-IP Link Controller

  • 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0

BIG-IP LTM

  • 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0

BIG-IP AFM

  • 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0

BIG-IP ASM

  • 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0
Manual Chapter

Overview: Dynamic template in IKEv2

Before dynamic templates, the IPsec configuration is static and specific to each remote peer identified by its IP address. With the introduction of dynamic template in IKEv2, one configuration can be used for multiple remote peers without information about their IP addresses in advance.
The BIG-IP can establish an IPsec tunnel with dynamic IP addresses that are not configured in the BIG-IP configuration, for example, IP addresses associated with a small cell security gateway. The dynamic template configuration applies to more than one remote peer, by factoring the details that might vary from peer to peer. A single dynamic template IKE peer can be used to support multiple remote peers, at different IP addresses, or different ports behind a single NAT firewall IP address.
The IPsec IKEv2 tunnel can be established with unknown or dynamic endpoints with or without Network Address Translation (NAT) environment. If a NAT firewall is present, then every remote peer appears to have the same IP address because only one IP address is used by the firewall. The port number is used to distinguish each peer. In order to handle more than one remote peer at the same firewall IP address, change the value of system db variable
ipsec.port.identity
 to
one
. Following is an example command to modify the variable:
tmsh modify sys db ipsec.port.identity value 1
This controls whether port is considered part of the identity of IKE peer, in addition to the IP address used by the remote peer.
Only one dynamic template can be created per local IP address used on the BIG-IP. For example, in IPsec policy the Tunnel Local Address setting which is typically the same IP address as the Presented ID Value (my-id-value) attribute in IKE peer. This local tunnel endpoint IP address will have an IPsec listener added to it.
Example of an IPsec in tunnel mode using dynamic template
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information