Manual Chapter : Configuring Access IPsec VPN Tunnels
back-action BIG-IP Access Policy Manager: Edge Client 7.2.7 and Application Configuration

Updated Date: 05/05/2026

Configuring Access IPsec VPN Tunnels

IPsec VPN tunnels allow clients to transition from SSL/TLS VPNs to IPsec VPNs. Using the Windows Edge Client or F5 Access for macOS, clients can establish an IPsec tunnel to BIG-IP and securely access the backend network.

A new field, VPN Type, is introduced in the Connectivity Profile screen. When you set it to IPsec, the system automatically generates an Access IPsec Policy.
You can modify the properties as per your requirement and update the policy.
The associated IPsec objects, IPsec Policy, IKE Peer, and Traffic Selector are created when you configure a Virtual Server with the IPsec VPN type connectivity profile.

Notes:

  • When using LTM IPsec, the traffic intended for the Access Virtual Server may be incorrectly routed to the LTM IPsec forward virtual server. To avoid this, do not deploy LTM IPsec and Access IPsec simultaneously in the same environment and use separate VLANs for each use case.
  • IPsec authentication supports only machine certificate authentication, requiring the machine certificate agent to be configured within the access policy. Without the configured machine certificate agent, IPsec will fail to establish a connection. For more information, refer to BIG-IP Access Policy Manager: Visual Policy Editor.
  • The changes are applied dynamically. You don’t need to reinstall Windows Edge Client or F5 Access for macOS.
  • You can convert an existing connectivity profile from SSL-VPN to IPsec by updating the VPN Profile type from SSL to IPsec in the Connectivity Profile. However, converting an existing connectivity profile from IPsec to SSL-VPN is not supported and requires new profile creation.

IPsec policies utilize existing network access profiles configured within access policies, allowing administrators to leverage familiar workflows when setting up routing and security configurations for VPN. This approach provides enhanced flexibility and simplifies the migration process from SSL-VPN to IPsec, ensuring a seamless and straightforward transformation.

To Configure Access IPsec VPN Tunnels:

  1. Navigate to Access > Connectivity / VPN : Connectivity : Profiles.

  2. Create a connectivity profile with VPN Profile type set to IPsec. The corresponding Access IPsec policy is automatically generated.

  3. Navigate to Network > IPsec > Access IPsec > Access IPsec Policies to view the policy.

  4. You can modify the following properties of the policy based on your requirements:

    Category Property Description
    General Properties Name Specifies the name of the Access IPsec policy.
    Partition / Path Specifies the configuration path.
    Description Specifies descriptive text that identifies the Access IPsec policy.
    VPN Type Displays VPN type. Access IPsec supports only Remote Access VPN.
    Version Displays the IKE version.
    IKE Phase 1 Algorithms Encryption Algorithm Specifies the algorithms to use for IKE encryption. Default value: AES-GCM256.
    Integrity Algorithm Specifies the algorithms to use for IKE data integrity verification. Default value: AES-GCM256.
    Pseudo-Random Function Specifies the algorithms to derive keying material for cryptographic functions. Default value: SHA-256.
    Perfect Forward Secrecy Specifies the Diffie-Hellman group for Phase 1 and Phase 2 negotiations. Default value: MODP1024.
    Lifetime Specifies the duration, in minutes, before the IKE security association expires. Default value: 1440 minutes.
    IKE Phase 1 Credentials Authentication Method Specifies the authentication method for Phase 1 negotiation. Default value: RSA Signature. DSS and ECDSA Signature are supported in IKEv2 only.
    Certificate Specifies that the system uses certificate-based authentication.
    Certificate Specifies the digital certificate to use. Default certificate: default.
    Key Specifies the public key contained in the digital certificate. Default key: default.
    Passphrase Specifies the passphrase of the key used for authentication methods. Supported in IKEv2 only.
    NAT-Traversal NAT-Traversal Specifies whether the system uses NAT Traversal protocol extensions. Default value: Off.
    Force: Forces NAT protocol extensions whether or not NAT support is detected.
    On: Uses NAT protocol extensions when NAT support is detected.
    Off: Does not support NAT protocol extensions.
    IKE Phase 2 Configuration IPsec Protocol Displays the IPsec Protocol. Access IPsec supports only the ESP protocol.
    Mode Displays the Mode. Access IPsec supports only Tunnel mode.
    IKE Phase 2 Algorithms Authentication Algorithm Specifies the algorithm to use for IKE authentication. Default value: AES-GCM256.
    Encryption Algorithm Specifies the algorithm to use for IKE encryption. Default value: AES-GCM256.
    Lifetime Specifies the duration, in minutes, before the IKE security association expires. Default value: 480 minutes.
    KBLifetime Specifies the length, in kilobytes, before the IKE security association expires. Default value: 0 kilobytes (SA won’t re-key based on bytes). Recommended minimum: 1000 kilobytes.

  5. Click Update to update the policy.

  6. Navigate to Access > Connectivity / VPN : Connectivity : Profiles to configure a virtual server.

  7. While configuring the virtual server, select the IPsec VPN type connectivity profile. Add other values as per your requirements. For more information, refer to Configuring Virtual Servers for Network Access.

  8. Click Finished. The associated IPsec objects, IPsec Policy, IKE Peer, and Traffic Selector, are created when you configure a Virtual Server with the IPsec VPN type connectivity profile.

When IPsec is configured:

  1. The client authenticates to BIG-IP through access policy evaluation over TLS. The Access Policy should have a “machine certificate authentication agent” configured.
  2. After successful Access Policy evaluation:
    a. Client performs machine certificate authentication during IPsec phase-1, i.e., IKEv2 to BIG-IP. The Client leverages the same machine certificate configured in the access policy during IKEv2 authentication.
    b. BIG-IP validates the current IPsec session with access policy session based on the machine certificate used in both the authentications.
    c. BIG-IP proceeds with IPsec phase-2 to establish an IPsec tunnel only when both of these certificates match, along with the signature validation.