Applies To:
Show VersionsBIG-IP AAM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP AFM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Configuring IPsec ALG for AFM
You can configure IPsec application layer gateway (ALG) functionality for Advanced Firewall Manager™ (AFM™) in a number of configurations. Typical configurations include the following:
- IPsec ALG with IKE for AFM firewall with NAT
- IPsec ALG with manual keys for AFM firewall with NAT
- IPsec ALG with IKE for AFM only
About configuring IPsec ALG with IKE for AFM firewall with NAT
You can configure IPsec application layer gateway (ALG) functionality with Internet Key Exchange (IKE) security for Advanced Firewall Manager™ (AFM™) firewall with network address translation (NAT). A typical IPsec ALG configuration includes a UDP virtual server listening on Internet Security Association and Key Management Protocol (ISAKMP) port 500, using IPsec tunnel mode. When the BIG-IP system receives the first IKE packet, it picks a translation address, and, after successfully completing the IKE negotiation, creates the IKE and IPsec flows.
Network address translation is configured through the AFM Security Network Address Translation Policy. The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.
An example configuration of IPsec ALG with IKE for AFM firewall with NAT
Virtual Server Configuration | Setting |
---|---|
Service Port |
|
Protocol |
|
IPsecALG Profile | Default ipsecalg profile, or custom IPsecALG profile |
Source Address Translation | AFM Security Network Address Translation Policy.
Important: The Network
Address Translation policy rule Translated Source setting must use a Source Translation that
is configured to use a Type of Dynamic PAT.
|
About configuring IPsec ALG with manual keys for AFM firewall with NAT
You can configure an IPsec application layer gateway (ALG) functionality with manual keys for Advanced Firewall Manager™ (AFM™) firewall with NAT. In this configuration, ALG functionality provides connection management for protocol traffic, permitting temporary access through the firewall rules. A typical IPsec ALG configuration includes a IPsec ESP (protocol 50) or IPsec AH (protocol 51) virtual server listening on port 0 (wildcard) using IPsec tunnel mode. An IPsec ESP tunnel must be created manually for this configuration.
Network address translation is configured through the AFM Security Network Address Translation Policy. The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.
An example configuration of IPsec ALG with manual keys for AFM firewall with NAT
Virtual Server Configuration | Setting |
---|---|
Service Port | 0 (* All Ports) |
Protocol | This configuration uses one of the following protocols:
|
IPsecALG Profile | Default ipsecalg profile, or custom IPsecALG profile |
Source Address Translation | AFM Security Network Address Translation Policy.
Important: The Network
Address Translation policy rule Translated Source setting must use a Source Translation that
is configured to use a Type of Dynamic PAT.
|
About configuring IPsec ALG with IKE for AFM only
You can configure IPsec application level gateway (ALG) functionality with Internet Key Exchange (IKE) security for use with Advanced Firewall Manager™ (AFM™) only. A typical IPsec ALG configuration includes a UDP virtual server listening on Internet Security Association and Key Management Protocol (ISAKMP) port 500. When the BIG-IP system receives the first IKE packet, it picks a translation address, and, after successfully completing the IKE negotiation, creates the IKE and IPsec flows. In this configuration, ALG functionality provides connection management for protocol traffic, permitting temporary access through the firewall. No address translation applies in this configuration. You can configure AFM to use a virtual server with a UDP protocol using tunnel mode or transport mode.
An example configuration of IPsec ALG with IKE for AFM
Virtual Server Configuration | Setting |
---|---|
Service Port |
|
Protocol |
|
IPsecALG Profile | Default ipsecalg profile, or custom IPsecALG profile |
About negotiation of security associations
The way to dynamically negotiate security associations is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two IPsec tunnel endpoints (IKE peers) open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.
After Phase 1 is complete and the secure channel is established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.
About IPsec Tunnel mode
Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.
About IPsec Transport mode
Transport mode causes the IPsec protocol to encrypt only the payload of an IP packet. The protocol then encloses the encrypted payload in a normal IP packet. Traffic sent in Transport mode is less secure than traffic sent in Tunnel mode, because the IP header in each packet is not encrypted.