Manual Chapter : Configuring IPsec ALG for AFM

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Configuring IPsec ALG for AFM

You can configure IPsec application layer gateway (ALG) functionality for Advanced Firewall Manager™ (AFM™) in a number of configurations. Typical configurations include the following:

  • IPsec ALG with IKE for AFM firewall with NAT
  • IPsec ALG with manual keys for AFM firewall with NAT
  • IPsec ALG with IKE for AFM only

About configuring IPsec ALG with IKE for AFM firewall with NAT

You can configure IPsec application layer gateway (ALG) functionality with Internet Key Exchange (IKE) security for Advanced Firewall Manager™ (AFM™) firewall with network address translation (NAT). A typical IPsec ALG configuration includes a UDP virtual server listening on Internet Security Association and Key Management Protocol (ISAKMP) port 500, using IPsec tunnel mode. When the BIG-IP system receives the first IKE packet, it picks a translation address, and, after successfully completing the IKE negotiation, creates the IKE and IPsec flows.

Network address translation is configured through the AFM Security Network Address Translation Policy. The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.

An example configuration of IPsec ALG with IKE for AFM firewall with NAT

Table 1. A typical IPsec ALG with IKE for AFM firewall with NAT virtual server configuration
Virtual Server Configuration Setting
Service Port
  • 500 (ISAKMP) for UDP
Protocol
  • UDP
IPsecALG Profile Default ipsecalg profile, or custom IPsecALG profile
Source Address Translation AFM Security Network Address Translation Policy.
Important: The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.

About configuring IPsec ALG with manual keys for AFM firewall with NAT

You can configure an IPsec application layer gateway (ALG) functionality with manual keys for Advanced Firewall Manager™ (AFM™) firewall with NAT. In this configuration, ALG functionality provides connection management for protocol traffic, permitting temporary access through the firewall rules. A typical IPsec ALG configuration includes a IPsec ESP (protocol 50) or IPsec AH (protocol 51) virtual server listening on port 0 (wildcard) using IPsec tunnel mode. An IPsec ESP tunnel must be created manually for this configuration.

Network address translation is configured through the AFM Security Network Address Translation Policy. The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.

An example configuration of IPsec ALG with manual keys for AFM firewall with NAT

Table 2. A typical IPsec ALG with manual keys for AFM virtual server configuration
Virtual Server Configuration Setting
Service Port 0 (* All Ports)
Protocol This configuration uses one of the following protocols:
  • IPsec ESP
  • IPsec AH
IPsecALG Profile Default ipsecalg profile, or custom IPsecALG profile
Source Address Translation AFM Security Network Address Translation Policy.
Important: The Network Address Translation policy rule Translated Source setting must use a Source Translation that is configured to use a Type of Dynamic PAT.

About configuring IPsec ALG with IKE for AFM only

You can configure IPsec application level gateway (ALG) functionality with Internet Key Exchange (IKE) security for use with Advanced Firewall Manager™ (AFM™) only. A typical IPsec ALG configuration includes a UDP virtual server listening on Internet Security Association and Key Management Protocol (ISAKMP) port 500. When the BIG-IP system receives the first IKE packet, it picks a translation address, and, after successfully completing the IKE negotiation, creates the IKE and IPsec flows. In this configuration, ALG functionality provides connection management for protocol traffic, permitting temporary access through the firewall. No address translation applies in this configuration. You can configure AFM to use a virtual server with a UDP protocol using tunnel mode or transport mode.

An example configuration of IPsec ALG with IKE for AFM

Table 3. A typical IPsec ALG with IKE for AFM virtual server configuration
Virtual Server Configuration Setting
Service Port
  • 500 (ISAKMP)
Protocol
  • UDP
IPsecALG Profile Default ipsecalg profile, or custom IPsecALG profile

About negotiation of security associations

The way to dynamically negotiate security associations is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two IPsec tunnel endpoints (IKE peers) open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.

After Phase 1 is complete and the secure channel is established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.

About IPsec Tunnel mode

Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.

About IPsec Transport mode

Transport mode causes the IPsec protocol to encrypt only the payload of an IP packet. The protocol then encloses the encrypted payload in a normal IP packet. Traffic sent in Transport mode is less secure than traffic sent in Tunnel mode, because the IP header in each packet is not encrypted.