When you configure an iSession connection using the Quick Start screen,
you can specify IPsec encapsulation for outbound iSession traffic. If you select IPsec, the BIG-IP system also encrypts the TCP traffic for the applications you select
when you create iApps templates for optimizing applications.
If you also want to send secured and encrypted non-TCP traffic, you can create a forwarding
virtual server that uses the iSession routing to send all IP traffic not matched by other virtual
servers through the IPsec tunnel. To accelerate the traffic, you can add IP Payload Compression
Protocol (IPComp) to the IPsec tunnel. You would choose IPComp when you expect a great deal of
compressible non-TCP traffic.
Note: NAT traversal is not supported with iSession routing. For NAT traversal, you
must configure a separate IPsec tunnel, and then route the IP traffic through the tunnel.
Creating a virtual server for all IP iSession traffic
Before you create the virtual server, ensure that you have selected
IPsec for the IP Encapsulation Type
setting on the Quick Start screen or the Symmetric Optimization Local Endpoint screen,
and chosen an IPsec policy. You can use the pre-defined default policy
default-ipsec-policy-isession, or create a custom policy, for
example, to compress all IP traffic that does not match another virtual server.
If you are using IPsec to encrypt iSession traffic, you can
create a forwarding virtual server to send all IP traffic through the IPsec tunnel.
Creating the virtual server avoids the need for any special routing for non-TCP traffic,
such as UDP and ICMP.
-
On the Main tab, click .
-
Click the Create button.
-
Type a unique name for the virtual server, such as
non_tcp_traffic.
-
For the Type setting, select Forwarding
(IP) from the list.
-
For the Destination setting, select
Network and indicate your objective:
- To select all IP addresses, in the Address field,
type 0.0.0.0, and in the Mask
field, type 0.0.0.0.
- To specify a network, in the Address field, type
a network IP address, such as 10.07.0.0, and in the
Mask field, type the netmask, such as
255.255.0.0.
Note: For best results, F5 recommends that
you enter the subnet and mask that match your destination server
network.
-
In the Service Port field, type *
or select * All Ports from the list.
-
In the Configuration area of the screen, from the
Protocol list, select *All
Protocols.
-
In the Acceleration area of the screen, from the iSession
Profile list, select an iSession profile.
Note: This setting is available only if you have licensed and
provisioned the Application Acceleration Manager (AAM) product.
-
Click Finished.
The completed screen looks similar to the following example.
Example of a completed virtual server screen for non-TCP iSession traffic,
with destination subnet specified