Applies To:
Show VersionsBIG-IP AAM
- 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN
Overview: Setting up iSession and IPsec to use NAT traversal on one side
When you are using IPsec to secure optimized WAN traffic, you can set up an IPsec tunnel with NAT traversal (NAT-T) to get around a firewall or other NAT device. This implementation describes how to set up the IPsec tunnel when you have a NAT device on one side of the tunnel.
The following illustration shows a network configuration with a firewall using NAT to protect the BIG-IP® system on one side of the WAN.
Example of an iSession and IPsec deployment with NAT-T on one side of the WAN
Before you begin IPsec configuration
Before you configure IPsec on a BIG-IP® device, make sure that you have completed the following general prerequisites.
- You must have an existing routed IP network between the two locations where the BIG-IP devices will be installed.
- The BIG-IP hardware is installed with an initial network configuration applied.
- Application Acceleration Manager™ is provisioned at the level Nominal or Dedicated.
- The management IP address is configured on the BIG-IP system.
- If you are using NAT traversal, forward UDP ports 500 and 4500 to the BIG-IP system behind each firewall.
- Verify the connectivity between the client or server and its BIG-IP device, and between each BIG-IP device and its gateway. You can use ping to test connectivity.
Task summary
When you are configuring an IPsec tunnel, you must repeat the configuration tasks on the BIG-IP systems on both sides of the WAN.
Task list
Creating a forwarding virtual server for IPsec
Creating an IPsec tunnel with NAT-T on one side
You can create an IPsec tunnel to securely transport application traffic across the WAN. You must configure an IPsec tunnel on the BIG-IP systems on both sides of the WAN.
When you create an IKE peer for NAT traversal (NAT-T), the key configuration detail is that the Remote Address setting is the public IP address of the firewall or other NAT device (not the IP address of the remote BIG-IP system). Also, you must turn on NAT traversal for that peer. You can customize the remaining settings to conform to your network.
Verifying IPsec connectivity for Tunnel mode
After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Using Quick Start to set up iSession endpoints
The following screen capture is an example of how the Quick Start screen might look.
Example of Quick Start screen settings for NAT-T