Manual Chapter : Forwarding Non-Optimized IP Traffic Through an IPsec Tunnel

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP APM

  • 14.1.3, 14.1.2, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter

Overview: Forwarding Non-Optimized IP traffic through an IPsec tunnel

When you configure an iSession™ connection using the Quick Start screen, you can specify IPsec encapsulation for outbound iSession traffic. If you select IPsec, the BIG-IP® system also encrypts the TCP traffic for the applications you select when you create iApps® templates for optimizing applications.

If you also want to send secured and encrypted non-TCP traffic, you can create a forwarding virtual server that uses the iSession routing to send all IP traffic not matched by other virtual servers through the IPsec tunnel. To accelerate the traffic, you can add IP Payload Compression Protocol (IPComp) to the IPsec tunnel. You would choose IPComp when you expect a great deal of compressible non-TCP traffic.

Note: NAT traversal is not supported with iSession routing. For NAT traversal, you must configure a separate IPsec tunnel, and then route the IP traffic through the tunnel.

Creating a virtual server for all IP iSession traffic

Before you create the virtual server, ensure that you have selected IPsec for the IP Encapsulation Type setting on the Quick Start screen or the Symmetric Optimization Local Endpoint screen, and chosen an IPsec policy. You can use the pre-defined default policy default-ipsec-policy-isession, or create a custom policy, for example, to compress all IP traffic that does not match another virtual server.
If you are using IPsec to encrypt iSession™ traffic, you can create a forwarding virtual server to send all IP traffic through the IPsec tunnel. Creating the virtual server avoids the need for any special routing for non-TCP traffic, such as UDP and ICMP.
  1. On the Main tab, click Local Traffic > Virtual Servers .
  2. Click the Create button.
  3. Type a unique name for the virtual server, such as non_tcp_traffic.
  4. For the Type setting, select Forwarding (IP) from the list.
  5. In the Destination Address field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0. To specify a network, an IPv4 address/prefix is 10.07.0.0 or 10.07.0.0/24, and an IPv6 address/prefix is ffe1::/64 or 2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: For best results, F5® recommends that you enter the subnet that matches your destination server network.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. In the Configuration area of the screen, from the Protocol list, select *All Protocols.
  8. In the Acceleration area of the screen, from the iSession Profile list, select an iSession profile.
    Note: This setting is available only if you have licensed and provisioned the Application Acceleration Manager™ (AAM™) product.
  9. Click Finished.
The completed screen looks similar to the following example.
Example of a completed virtual server screen for non-TCP iSession traffic

Example of a completed virtual server screen for non-TCP iSession traffic, with destination subnet specified

Adding compression to an IPsec policy

You can create an IPsec policy that uses iSession™ routing to compress IP traffic through an IPsec tunnel.
  1. On the Main tab, click Network > IPsec > IPsec Policies .
  2. Click the Create button.
    The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. For the IPsec Protocol setting, retain the default selection, ESP.
  5. From the Mode list, select iSession Using Tunnel.
  6. For the Authentication Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
  7. For the Encryption Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
  8. For the Perfect Forward Secrecy setting, select the option appropriate for your deployment.
  9. Only if you want to use IPComp to compress the traffic in the IPsec tunnel, from the IPComp list, select DEFLATE.
  10. For the Lifetime setting, retain the default value, 1440.
    This is the length of time (in minutes) before the current security association expires.
  11. Click Finished.
    The screen refreshes and displays the new IPsec policy in the list.
For this IPsec policy to take effect, you must associate it with the iSession routing information, using the IP Encapsulation settings on either the Quick Start screen or the Symmetric Optimization Local Endpoint screen.