Manual Chapter : Configure the BIG-IQ to Manage an IPsec Tunnel

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Configure the BIG-IQ to Manage an IPsec Tunnel

How do I start managing an IPsec tunnel?

You can use BIG-IQ Centralized Management to manage an IPsec tunnel. To set up IPsec tunnel management, you need to:
  • Configure a data collection device.
  • Configure the BIG-IQ system to manage the IPsec tunnel.
    • Create a forwarding virtual server for IPsec.
    • Create an IKE peer.
    • Create a custom IPsec policy.
    • Create a bidirectional IPsec traffic selector.
    • Configure the IKE daemon.
    • Verify IPsec connectivity.
After you complete these initial configuration tasks, you can manage the settings that control your IPsec tunnel traffic. You can also use the BIG-IQ statistics to troubleshoot the tunnel health.

Create a forwarding virtual server for IPsec

For IPsec, you create a forwarding (IP) type of virtual server to intercept IP traffic and direct it over the tunnel. With a forwarding (IP) virtual server, destination address translation and port translation are disabled.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Virtual Servers
    .
    The screen displays the list of virtual servers defined on this device.
    If you select the check box for a virtual server, you can delete it, clone it, attach iRules to it, view statistics for it, or deploy it. You can also view details about other configuration objects to which this virtual server relates.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. For
    Name
    , type in a name for the virtual server you are creating.
  4. From
    Device
    , select the device on which to create the virtual server.
  5. For
    Partition
    , type the name of the BIG-IP device partition on which you want to create the virtual server.
  6. For
    Description
    , type in a brief description for the virtual server you are creating.
  7. For
    Destination Address
    , type a wildcard network address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6, to accept any traffic.
  8. From
    Service Port
    , select
    *All Ports
    .
  9. From
    Protocol
    , select
    *All Protocols
    .
  10. For
    VLANs and Tunnel Traffic
    , retain the default selection,
    All VLANs and Tunnels
    .
  11. Leave all other fields at their default settings.
  12. Click
    Save & Close
    .
    The system creates the new virtual server with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this virtual server, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create an IKE peer

The IKE peer object identifies to the system you are configuring the other device that it communicates with during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to use for Phase 1 negotiation.
You must configure the devices at both ends of the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    NETWORK
    IPsec
    and then click
    IKE Peers
    .
  2. Click
    Create
    .
    The New IKE Peer screen opens.
  3. For
    Name
    , type a unique name for the IKE peer.
  4. For
    Description
    , type a brief description of the IKE peer.
  5. From
    Device
    , select the hostname of the device for which you are creating the new peer.
  6. For the remainder of the fields on this screen, configure the values as you would if you were configuring an IKE peer on a BIG-IP device.
    For details on configuring an IKE peer, refer to the
    BIG-IP TMOS: Tunneling and IPsec
    documentation on
    support.f5.com
  7. Click
    Save & Close
    .
    The system creates the new IKE peer with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this IKE peer, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create a custom IPsec policy

You can create a custom IPsec policy so that you can use a policy other than the default IPsec policy (
default-ipsec-policy
or
default-ipsec-policy-isession
). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode. Another reason is to add payload compression before encryption.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    NETWORK
    IPsec
    and then click
    IPsec Policies
    .
  2. Click
    Create
    .
    The New IPsec Policy screen opens.
  3. For
    Name
    , type a unique name for the policy.
  4. For
    Description
    , type a brief description of the policy.
  5. For the remainder of the fields on this screen, configure the values as you would if you were configuring an IKE peer on a BIG-IP device.
    For details on configuring a IPsec security policy, refer to the
    BIG-IP TMOS: Tunneling and IPsec
    documentation on
    support.f5.com
    .
  6. Click
    Save & Close
    .
    The system creates the new security policy with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this custom IPsec policy, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create a bidirectional IPsec traffic selector

A traffic selector filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
You must configure the devices at both ends of the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    NETWORK
    IPsec
    and then click
    Traffic Selectors
    .
  2. Click
    Create
    .
    The New Traffic Selector screen opens.
  3. For
    Name
    , type a unique name for the traffic selector.
  4. For
    Description
    , type a brief description of the traffic selector.
  5. From
    Device
    , select the hostname of the device for which you are creating the new traffic selector.
  6. For the remainder of the fields on this screen, configure the values as you would if you were configuring a traffic selector on a BIG-IP device.
    For details on configuring a traffic selector, refer to the
    BIG-IP TMOS: Tunneling and IPsec
    documentation on
    support.f5.com
    .
  7. Click
    Save & Close
    .
    The system creates the new traffic selector with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this IPsec traffic selector, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Configure the IKE daemon

To complete the configuration sequence for managing an IPsec tunnel on the BIG-IQ, you need to configure the IKE daemon
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    NETWORK
    IPsec
    and then click
    IKE Daemon
    .
  2. In the Name column, select the
    ikedaemon
    link that corresponds to the host name of the BIG-IP device from which you imported the IPsec tunnel configuration.
    The IKE daemon properties screen for that BIG-IP device opens.
  3. For External Log Publisher, select
    default-ipsec-log-publisher
    .
  4. Click the
    Save & Close
    button.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this IKE daemon, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Verify IPsec connectivity

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Only data traffic matching the traffic selector triggers the establishment of the tunnel.
  1. At the top of the screen, click
    Monitoring
    , then, on the left, click
    EVENTS
    IPsec
    Events
    .
    The IPsec Event Logs screen opens and displays all of the logs collected from your IPsec tunnel.
  2. Examine the screen, looking for event logs that relate to successful IPsec tunnel creation, to confirm IPsec connectivity.