Applies To:
Show VersionsBIG-IP AAM
- 13.0.1, 13.0.0
BIG-IP APM
- 13.0.1, 13.0.0
BIG-IP LTM
- 13.0.1, 13.0.0
BIG-IP AFM
- 13.0.1, 13.0.0
BIG-IP ASM
- 13.0.1, 13.0.0
Overview: Configuring IPsec between a BIG-IP system and a third-party device
You can configure an IPsec tunnel when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from a BIG-IP® system to third-party device. By following this process, you can configure an IKE peer to negotiate Phase 1 Internet Security Association and Key Management Protocol (ISAKMP) security associations for the secure channel between two systems. You can also configure a custom traffic selector and a custom IPsec policy that use this secure channel to generate IPsec Tunnel mode (Phase 2) security associations (SAs).
This implementation describes the tasks for setting up the IPsec tunnel on the BIG-IP system. You must also configure the third-party device at the other end of the tunnel. For those instructions, refer to the manufacturer's documentation for your device.
Example of an IPsec tunnel between a BIG-IP system and a third-party device
About negotiation of security associations
The way to dynamically negotiate security associations is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two IPsec tunnel endpoints (IKE peers) open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.
After Phase 1 is complete and the secure channel is established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.
About IPsec Tunnel mode
Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.
About BIG-IP components of the IPsec protocol suite
The IPsec protocol suite on the BIG-IP® system consists of these configuration components:
- IKE peers
- An IKE peer is a configuration object of the IPsec protocol suite that
represents a BIG-IP system on each side of the IPsec tunnel. IKE peers allow two systems to
authenticate each other (known as IKE Phase 1). The BIG-IP system supports two versions of the
IKE protocol: Version 1 (IKEv1) and Version 2 (IKEv2). The BIG-IP system includes the default
IKE peer, named anonymous, which is configured to use Version 1.Note: The BIG-IP system currently supports IKEv2 only in Tunnel mode, and does not support IPComp or NAT-T with IKEv2.
- IPsec policies
- An IPsec policy is a set of information that defines the specific IPsec protocol to use (ESP or AH), and the mode (Transport, Tunnel, or iSession). For Tunnel mode, the policy also specifies the endpoints for the tunnel, and for IKE Phase 2 negotiation, the policy specifies the security parameters to be used in that negotiation. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets. The BIG-IP system includes two default IPsec policies, named default-ipsec-policy and default-ipsec-policy-isession. A common configuration includes a bidirectional policy on each BIG-IP system.
- Traffic selectors
- A traffic selector is a packet filter that defines what traffic should be handled by a IPsec policy. You define the traffic by source and destination IP addresses and port numbers. A common configuration includes a bidirectional traffic selector on each BIG-IP system.
Task summary
You can configure the IPsec and IKE protocols to secure traffic that traverses a wide area network (WAN), such as from one data center to another.
Before you begin configuring IPsec and IKE, verify that this module, system objects, and connectivity exist on the BIG-IP system:
- BIG-IP Local Traffic Manager™
- This module directs traffic securely and efficiently to the appropriate destination on a network.
- Self IP address
- The BIG-IP system must have at least one self IP address, to be used in specifying the end of the IPsec tunnel.
- The default VLANs
- These VLANs are named external and internal.
- BIG-IP connectivity
- Verify the connectivity between the client or server and its BIG-IP device, and between the BIG-IP device and its gateway. For example, you can use ping to test this connectivity.
Task list
Creating a forwarding virtual server for IPsec
Creating an IKE peer
The IKE peer object identifies to the system you are configuring the other device with which it communicates during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation.
Creating a custom IPsec policy
You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
Creating a bidirectional IPsec traffic selector
Verifying IPsec connectivity for Tunnel mode
After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Implementation result
You now have an IPsec tunnel for securing traffic that traverses the WAN, from one BIG-IP system to a third-party device.