Manual Chapter : Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN

Overview: Setting up iSession and IPsec to use NAT traversal on one side

When you are using IPsec to secure optimized WAN traffic, you can set up an IPsec tunnel with NAT traversal (NAT-T) to get around a firewall or other NAT device. This implementation describes how to set up the IPsec tunnel when you have a NAT device on one side of the tunnel.

Note: For NAT-T, you cannot configure IPsec on the Acceleration Quick Start screen, because that configuration uses the iSession™ remote endpoint as the remote IP address for the IPsec tunnel. You must use the public IP address of the firewall or other NAT device as the remote IP address.

The following illustration shows a network configuration with a firewall using NAT to protect the BIG-IP® system on one side of the WAN.

Example of an iSession and IPsec deployment with NAT-T on one side of the WAN

Example of an iSession and IPsec deployment with NAT-T on one side of the WAN

Before you begin IPsec configuration

Before you configure IPsec on a BIG-IP® device, make sure that you have completed the following general prerequisites.

  • You must have an existing routed IP network between the two locations where the BIG-IP devices will be installed.
  • The BIG-IP hardware is installed with an initial network configuration applied.
  • Application Acceleration Manager™ is provisioned at the level Nominal or Dedicated.
  • The management IP address is configured on the BIG-IP system.
  • If you are using NAT traversal, forward UDP ports 500 and 4500 to the BIG-IP system behind each firewall.
  • Verify the connectivity between the client or server and its BIG-IP device, and between each BIG-IP device and its gateway. You can use ping to test connectivity.

Task summary

When you are configuring an IPsec tunnel, you must repeat the configuration tasks on the BIG-IP systems on both sides of the WAN.

Task list

Creating a forwarding virtual server for IPsec

For IPsec, you create a forwarding virtual server to intercept IP traffic and direct it over the tunnel.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. In the Destination Address/Mask field, type a wildcard network address in CIDR format, such as 0.0.0.0/0 for IPv4 or ::/0 for IPv6, to accept any traffic.
  6. From the Service Port list, select *All Ports.
  7. From the Protocol list, select *All Protocols.
  8. From the VLAN and Tunnel Traffic list, retain the default selection, All VLANs and Tunnels.
  9. Click Finished.

Creating an IPsec tunnel with NAT-T on one side

You can create an IPsec tunnel to securely transport application traffic across the WAN. You must configure an IPsec tunnel on the BIG-IP systems on both sides of the WAN.

When you create an IKE peer for NAT traversal (NAT-T), the key configuration detail is that the Remote Address setting is the public IP address of the firewall or other NAT device (not the IP address of the remote BIG-IP system). Also, you must turn on NAT traversal for that peer. You can customize the remaining settings to conform to your network.

Important: For the IKE peer negotiations to be successful, the IKE Phase 1 and IKE Phase 2 settings must be the same on the BIG-IP systems at both ends of the IPsec tunnel.
  1. Create an IKE peer that specifies the other end of the IPsec tunnel.
    1. On the Main tab, click Network > IPsec > IKE Peers .
    2. Click the Create button.
    3. In the Name field, type a unique name for the IKE peer.
    4. In the Remote Address field, type the IP address of the remote peer.
      If the remote BIG-IP system is behind a firewall or other NAT device, type the public IP address of that device.
      If the remote BIG-IP system is reachable directly, type the IP address of the BIG-IP system.
      Note: This address must match the value of the Tunnel Remote Address of the remote site setting in the relevant IPsec policy.
      For example, Site A uses the WAN IP address of the Site B firewall. The peer remote addresses for the BIG-IP systems in Site A and Site B are as follows.
      Location Remote (Peer) Address
      Site A 165.160.15.20
      Site B 198.50.100.3
      This screen snippet shows the peer Remote Address setting at Site A. Screen showing Site A Remote Address setting
    5. For the IKE Phase 1 Algorithms area, retain the default values, or select the options that are appropriate for your deployment.
    6. For the IKE Phase 1 Credentials area, for the Authentication Method setting, select either Preshared Key or RSA Signature, and specify additional information in the fields that appear.
      For example, if you select Preshared Key, type the key in the Preshared Key field that becomes available.
      In this example, Preshared Key is selected.
      IKE Phase 1 Preshared Key setting example
      Note: The key you type must be the same at both ends of the tunnel.
    7. From the NAT Traversal list, select On for Site A's IKE peer.
      Note: Use this setting only for the IKE peer (remote BIG-IP system) that is behind a NAT device. On the Site B BIG-IP system, for the IKE peer, retain the default setting, Off.
      NAT Traversal setting example
    8. Click Finished.
  2. Create a custom IPsec policy that uses Tunnel mode and has the same remote IP address as the IKE peer.
    1. On the Main tab, click Network > IPsec > IPsec Policies .
    2. Click the Create button.
    3. In the Name field, type a unique name for the policy.
    4. For the IPsec Protocol setting, retain the default selection, ESP.
    5. From the Mode list, select Tunnel.
      The screen refreshes to show additional related settings.
    6. In the Tunnel Local Address field, type the local IP address of the system you are configuring.
      For example, the tunnel local addresses for the BIG-IP systems in Site A and Site B are as follows.
      Location Tunnel Local Address
      Site A 198.50.100.3
      Site B 10.102.20.5
    7. In the Tunnel Remote Address field, type the IP address of the remote peer.
      If the remote BIG-IP system is behind a firewall or other NAT device, type the public IP address of that device.
      If the remote BIG-IP system is reachable directly, type the IP address of the BIG-IP system.
      Note: This address must match the value of the Remote Address setting in the relevant IKE peer.
      For example, the tunnel remote addresses for the BIG-IP systems in Site A and Site B are as follows.
      Location Tunnel Remote Address
      Site A 165.160.15.20
      Site B 198.50.100.3
      This screen snippet shows the tunnel settings at Site A.
      Example of tunnel settings at Site A
    8. For the Authentication Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
    9. For the Encryption Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
    10. For the Perfect Forward Secrecy setting, retain the default value, or select the option appropriate for your deployment.
    11. Click Finished.
  3. Create a bidirectional traffic selector that uses the custom IPsec policy you created.
    The traffic selector filters the application traffic based on the source and destination IP addresses you specify.
    1. On the Main tab, click Network > IPsec > Traffic Selectors .
    2. Click Create.
    3. In the Name field, type a unique name for the traffic selector.
    4. For the Order setting, retain the default value.
    5. For the Source IP Address setting, in the Address field, type the IP address from which the application traffic originates.
      In the illustration the source IP addresses for the BIG-IP systems in Site A and Site B are as follows.
      Location Source IP Address
      Site A 10.100.20.50
      Site B 10.102.20.10
    6. For the Destination IP Address setting, in the Address field, type the final IP address for which the application traffic is destined.
      In the illustration, the source IP addresses for the BIG-IP systems in Site A and Site B are as follows.
      Location Destination IP Address
      Site A 10.102.20.10
      Site B 10.100.20.50
    7. For the Action setting, retain the default value, Protect.
    8. From the IPsec Policy Name list, select the name of the custom IPsec policy that you just created.
      This screen snippet is an example of the completed Traffic Selector screen at Site A. Example of completed Traffic Selector screen
    9. Click Finished.
You have now created an IPsec tunnel through which traffic travels in both directions across the WAN, and through a firewall on one side.

Verifying IPsec connectivity for Tunnel mode

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.

Note: Only data traffic matching the traffic selector triggers the establishment of the tunnel.
  1. Access the tmsh command-line utility.
  2. Before sending traffic, type this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level info
    This command increases the logging level to display the INFO messages that you want to view.
  3. Send data traffic to the destination IP address specified in the traffic selector.
  4. For an IKEv1 configuration, check the IKE Phase 1 negotiation status by typing this command at the prompt.
    racoonctl -l show-sa isakmp
    This example shows a result of the command. Destination is the tunnel remote IP address.
    Destination       Cookies               ST S  V E Created            Phase2
    165.160.15.20.500 98993e6 . . . 22c87f1  9 I 10 M 2012-06-27 16:51:19     1
                        

    This table shows the legend for interpreting the result.

    Column Displayed Description
    ST (Tunnel Status) 1 Start Phase 1 negotiation
    2 msg 1 received
    3 msg 1 sent
    4 msg 2 received
    5 msg 2 sent
    6 msg 3 received
    7 msg 3 sent
    8 msg 4 received
    9 isakmp tunnel established
    10 isakmp tunnel expired
    S I Initiator
    R Responder
    V (Version Number) 10 ISAKMP version 1.0
    E (Exchange Mode) M Main (Identity Protection)
    A Aggressive
    Phase2 <n> Number of Phase 2 tunnels negotiated with this IKE peer
  5. For an IKEv1 configuration, check the IKE Phase 2 negotiation status by typing this command at the prompt.
    racoonctl -ll show-sa internal
    This example shows a result of this command. Source is the tunnel local IP address. Destination is the tunnel remote IP address.
     
    Source            Destination           Status         Side
    10.100.20.3       165.160.15.20         sa established [R] 
                        
                        
                            

    This table shows the legend for interpreting the result.

    Column Displayed
    Side I (Initiator)
    R (Responder)
    Status init
    start
    acquire
    getspi sent
    getspi done
    1st msg sent
    1st msg recvd
    commit bit
    sa added
    sa established
    sa expired
  6. To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa
    For each tunnel, the output displays IP addresses for two IPsec SAs, one for each direction, as shown in the example.
    IPsec::SecurityAssociations
    10.100.20.3 -> 165.160.15.20 SPI(0x7b438626) in esp (tmm: 6)
    165.160.15.20 -> 10.100.20.3 SPI(0x5e52a1db) out esp (tmm: 5)              
                        
  7. To display the details of the dynamic negotiated Security Associations (SAs), type this command at the prompt.
    tmsh show net ipsec ipsec-sa all-properties
    For each tunnel, the output displays the details for the IPsec SAs, as shown in the example.
    IPsec::SecurityAssociations
    165.160.15.20 -> 10.100.20.3
    -----------------------------------------------------------------------------
      tmm: 2                                                             
      Direction: out;  SPI: 0x6be3ff01(1810104065);  ReqID: 0x9b0a(39690)
      Protocol: esp;  Mode: tunnel;  State: mature                       
      Authenticated Encryption : aes-gmac128                             
      Current Usage: 307488 bytes                                        
      Hard lifetime: 94 seconds; unlimited bytes                         
      Soft lifetime: 34 seconds; unlimited bytes                         
      Replay window size: 64                                          
      Last use: 12/13/2012:10:42                        Create:  12/13/2012:10:39               
                        
  8. To display the details of the IKE-negotiated SAs (IKEv2), type this command at the prompt.
    tmsh show net ipsec ike-sa all-properties
  9. To filter the Security Associations (SAs) by traffic selector, type this command at the prompt.
    tmsh show net ipsec ipsec-sa traffic-selector ts_codec

    You can also filter by other parameters, such as SPI (spi), source address (src_addr), or destination address (dst_addr)

    The output displays the IPsec SAs that area associated with the traffic selector specified, as shown in the example.
    IPsec::SecurityAssociations
    10.100.115.12  ->  10.100.15.132  SPI(0x2211c0a9)  in  esp  (tmm: 0)
    10.100.15.132  ->  10.100.115.12  SPI(0x932e0c44)  out  esp  (tmm: 2)              
                        
  10. Check the IPsec stats by typing this command at the prompt.
    tmsh show net ipsec-stat
    If traffic is passing through the IPsec tunnel, the stats will increment.
     
    -------------------------------------------------------------------
    Net::Ipsec
    Cmd Id           Mode  Packets In  Bytes In  Packets Out  Bytes Out
    -------------------------------------------------------------------
    0           TRANSPORT           0         0            0          0
    0           TRANSPORT           0         0            0          0
    0              TUNNEL           0         0            0          0
    0              TUNNEL           0         0            0          0
    1              TUNNEL      353.9K    252.4M        24.9K       1.8M
    2              TUNNEL      117.9K     41.0M       163.3K      12.4M                       
                        
  11. If the SAs are established, but traffic is not passing, type one of these commands at the prompt.

    tmsh delete net ipsec ipsec-sa (IKEv1)

    tmsh delete net ipsec ike-sa (IKEv2)

    This action deletes the IPsec tunnels. Sending new traffic triggers SA negotiation and establishment.
  12. If traffic is still not passing, type this command at the prompt.
    racoonctl flush-sa isakmp
    This action brings down the control channel. Sending new traffic triggers SA negotiation and establishment.
  13. View the /var/log/racoon.log to verify that the IPsec tunnel is up.
    These lines are examples of the messages you are looking for.
    2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61
    2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500]
    2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e)
    2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46                    
                        
  14. To turn on IKEv2 logging on a production build, complete these steps.
    1. Configure the log publisher for IPsec to use.
      % tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} 
      % tmsh list sys log-config publisher ipsec
      sys log-config publisher ipsec {
          destinations {
              local-syslog { }
          }
      }                            
                              
    2. Attach the log publisher to the ike-daemon object.
      tmsh modify net ipsec ike-daemon ikedaemon log-publisher ipsec
  15. For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
    Important: Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.
    Note: Using this command flushes existing SAs.
  16. After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt.
    tmsh modify net ipsec ike-daemon ikedaemon log-level info
    Note: Using this command flushes existing SAs.

Using Quick Start to set up iSession endpoints

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP® system that is provisioned with Application Acceleration Manager™.
You can use the Quick Start screen to set up the iSession™ endpoints on a BIG-IP system. To optimize WAN traffic, you must configure the iSession endpoints on the BIG-IP systems on both sides of the WAN.
  1. Log in to the BIG-IP system that you want to configure.
    The default login value for both user name and password is admin.
  2. On the Main tab, click Acceleration > Quick Start > Symmetric Properties .
  3. In the WAN Self IP Address field, type the local endpoint IP address, if it is not already displayed.
    This IP address must be in the same subnet as a self IP address on the BIG-IP system, and to make sure that dynamic discovery properly detects this endpoint, the IP address must be the same as a self IP address on the BIG-IP system.
  4. Verify that the Discovery setting is set to Enabled.
    If you disable the Discovery setting, or discovery fails, you must manually configure any remote endpoints and advertised routes.
  5. Specify the VLANs on which the virtual servers on this system receive incoming traffic.
    Option Description
    LAN VLANs Select the VLANs that receive incoming LAN traffic destined for the WAN.
    WAN VLANs Select the VLANs that receive traffic from the WAN through an iSession™ connection.
  6. In the Authentication area, for the Outbound iSession to WAN setting, select the SSL profile to use for all encrypted outbound iSession connections.
    To get WAN optimization up and running, you can use the default selection serverssl, but you need to customize this profile for your production environment.
  7. In the IP Encapsulation area, for the IP Encapsulation Type setting, retain the default value, None.
    Note: For a NAT-T deployment, configure IPsec separately, using the IPsec screens in the Network section of the browser interface.
  8. Click Apply.

The following screen capture is an example of how the Quick Start screen might look.

Example of Quick Start screen settings for NAT-T

Example of Quick Start screen settings for NAT-T

To complete the iSession connection, you must also set up the local endpoint on the BIG-IP system on the other side of the WAN.