Applies To:Show Versions
- 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Forwarding Non-Optimized IP Traffic Through an IPsec Tunnel
Overview: Forwarding Non-Optimized IP traffic through an IPsec tunnel
When you configure an iSession™ connection using the Quick Start screen, you can specify IPsec encapsulation for outbound iSession traffic. If you select IPsec, the BIG-IP® system also encrypts the TCP traffic for the applications you select when you create iApps® templates for optimizing applications.
If you also want to send secured and encrypted non-TCP traffic, you can create a forwarding virtual server that uses the iSession routing to send all IP traffic not matched by other virtual servers through the IPsec tunnel. To accelerate the traffic, you can add IP Payload Compression Protocol (IPComp) to the IPsec tunnel. You would choose IPComp when you expect a great deal of compressible non-TCP traffic.
Creating a virtual server for all IP iSession traffic
- On the Main tab, click .
- Click the Create button.
- Type a unique name for the virtual server, such as non_tcp_traffic.
- For the Type setting, select Forwarding (IP) from the list.
In the Destination Address field, type an IP address in
The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.Note: For best results, F5® recommends that you enter the subnet that matches your destination server network.
- In the Service Port field, type * or select * All Ports from the list.
- In the Configuration area of the screen, from the Protocol list, select *All Protocols.
In the Acceleration area of the screen, from the iSession
Profile list, select an iSession profile.
Note: This setting is available only if you have licensed and provisioned the Application Acceleration Manager™ (AAM™) product.
- Click Finished.
Example of a completed virtual server screen for non-TCP iSession traffic, with destination subnet specified
Adding compression to an IPsec policy
- On the Main tab, click .
Click the Create button.
The New Policy screen opens.
- In the Name field, type a unique name for the policy.
- For the IPsec Protocol setting, retain the default selection, ESP.
- From the Mode list, select iSession Using Tunnel.
- For the Authentication Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
- For the Encryption Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
- For the Perfect Forward Secrecy setting, select the option appropriate for your deployment.
- Only if you want to use IPComp to compress the traffic in the IPsec tunnel, from the IPComp list, select DEFLATE.
For the Lifetime setting, retain the default value,
This is the length of time (in minutes) before the current security association expires.
The screen refreshes and displays the new IPsec policy in the list.