Before you begin encrypting application traffic, you must secure the iSession™ endpoints using SSL.
After the iSession connection is secure, the easiest and quickest method of configuring
application data encryption using IPsec is on the Quick Start screen.
Note: For this implementation, creating a custom policy is an optional task.
Task list
Encrypting application traffic using IPsec on the Quick Start screen
You cannot view the Quick Start screen until you have defined at least one VLAN and
at least one self IP on a configured BIG-IP® system that is
provisioned for acceleration.
You complete this task to encrypt application traffic over an iSession connection
using IPsec.
-
On the Main tab, click .
-
In the IP Encapsulation area, select IPsec from the
IP Encapsulation Type list.
The screen refreshes and displays the IPSEC
Policy field.
-
From the IPSEC Policy list select an IPsec policy.
You can use the pre-defined default policy
default-ipsec-policy-isession, or create a custom
policy, which the system adds to the list.
-
Click Apply.
Application traffic is now encrypted over the iSession connection using IPsec,
according to the settings in the selected IPsec policy.
Creating a custom IPsec policy for iSession traffic
You can create a custom IPsec policy for iSession traffic if you want settings
that are different from the default values. For example, you might want to specify a
different authentication algorithm or Diffie-Hellman group for IKE phase 2
negotiations.
-
On the Main tab, click .
-
Click the Create button.
The New Policy screen opens.
-
In the Name field, type a unique name for the
policy.
-
From the Mode list, select iSession Using
Tunnel.
-
From the Authentication Algorithm list, select an
algorithm.
These are the possible values:
- SHA-1
- AES-GMC128
- AES-GMC192
- AES-GMC256
- AES-GMAC128
- AES-GMAC192
- AES-GMAC256
-
From the Perfect Forward Secrecy list, select a
Diffie-Hellman group.
These are the possible values:
- MODP768
- MODP1024
- MODP1536
- MODP2048
- MODP3072
- MODP4096
- MODP6144
- MODP8192
-
For the IPComp setting, specify whether to use IPComp
encapsulation, which performs packet-level compression before encryption:
- Retain the default value None, if you do not want
to enable packet-level compression before encryption.
- Select DEFLATE to enable packet-level compression
before encryption.
-
Click Finished.
The screen refreshes and displays the new IPsec policy in the
list.
For a custom IPsec policy to take effect, you must apply it to the iSession
endpoints. You can select it on the Quick Start screen or the Local Endpoint screen.
The selected policy settings must be the same on both endpoints of an iSession
connection.