F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Configuring IPsec in Tunnel Mode between a Remote Device and BIG-IP using Dynamic Template
  4. Task summary for configuring IPsec in tunnel mode using dynamic template
  5. Creating a custom IPsec policy for dynamic template
Manual Chapter : Creating a custom IPsec policy for dynamic template

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP Link Controller

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP LTM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP AFM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0

BIG-IP ASM

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0
Manual Chapter

Creating a custom IPsec policy for dynamic template

You create a custom IPsec policy to use a policy other than the default IPsec policy (
default-ipsec-policy
 or
default-ipsec-policy-isession
). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Policies
    .
  2. Click the
    Create
     button.
    The New Policy screen opens.
  3. In the
    Name
     field, type a unique name for the policy.
  4. In the
    Description
     field, type a brief description of the policy.
  5. For the
    IPsec Protocol
     setting, retain the default selection,
    ESP
    .
  6. From the
    Mode
     list, select
    Tunnel
    .
    The screen refreshes to show additional related settings.
  7. In the
    Tunnel Local Address
     field, type the local IP address of the system you are configuring.
    For example, the tunnel local IP address for BIG-IP site B is
    3.3.3.3
    .
  8. In the
    Tunnel Remote Address
     field, type the IP address that is remote to the system you are configuring.
    For example, the tunnel remote IP address configured, which is
    192.0.2.1
    . This address must match the
    Remote Address
     setting for the relevant IKE peer.
    The IP address can be any address from Martian IP address in the
    192.0.2.x
     subnet, as these addresses will never be used by real devices and the subnet is reserved for example documentation only. It is recommended to use
    192.0.2.13
     for dynamic IP address.
  9. For the IKE Phase 2 area, retain the default values, or select the options that are appropriate for your deployment.
    The values you select must match the IKE Phase 2 settings on the remote device.
    Setting
    Options
    Authentication Algorithm
    SHA-1
    ,
    AES-GCM128
     (default),
    AES-GCM192
    ,
    AES-GCM256
    ,
    AES-GMAC128
    ,
    AES-GMAC192
    , and
    AES-GMAC256
    Encryption Algorithm
    AES-GCM128
     (default)
    Perfect Forward Secrecy
    MODP768
    ,
    MODP1024
     (default),
    MODP1536
    ,
    MODP2048
    ,
    MODP3072
    ,
    MODP4096
    ,
    MODP6144
    , and
    MODP8192
    Lifetime
    Length of time, in minutes, before the IKE security association expires.s
  10. Click
    Finished
    .
    The screen refreshes and displays the new IPsec policy in the list.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information