Forum Discussion
mr_evil_116524
Jun 11, 2013Nimbostratus
This how is now fixed.
After spending some time with f5 support we found the issue and resolved it.
For future reference users can follow the guide http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-1/14.html to setup IPSEC tunnel either between F5s or any 3rd party hardware firewall.
- Scottie_Cole_13Nov 11, 2013NimbostratusWhat was the fix on this? I'm having the same problem and still working with support on it.
- mr_evil_116524Nov 12, 2013NimbostratusMan this was a mission to get this working, to be honest it was very simple.... now that I have what 3 different IPSEC. I take it you have created Peer list, Traffic Selector List and IPsec Policy List? Have you also created forwarding VIPs? You should have two forwarding VIPs one for IN and other for Out. DO NOTE that when you are in Traffic Selector List do no specify any port just allow all ports you will control ports at VIP level Let me explain VIPs. Say your F5 A have internal IP with 192.168.0.0/20 and F5 B have 10.10.0.0/20, you create one VIP where the source is 192.168.0.0/20 and dest is 10.10.0.0/20 and you crated another VIP where source is 10.10.0.0/20 and dest is 1192.168.0.0/20, all these VIPS will be forwarding VIPs. Allow *All Ports. and *All Protocols. (for testing of course) once you have all these in place I could suggest you try to ping from site a to site b and at the same time go to your site a F5 and run the following command tcpdump -nni 0.0 host and icmp - this will tell you what VIP it is using. Let me know how to go with this.
- Scottie_Cole_13Nov 12, 2013NimbostratusI finally got the tunnel to come up, but the traffic is still trying to route out to the internet instead of over the IPSec tunnel. Any other ideas?
- mr_evil_116524Nov 13, 2013NimbostratusYa, I had that issue too lol, ok you should check the default gateaway for internet in F5 and check your peer IP that you using to setup the IPSEC are they the same. Also go to your internal server and check what IP address you get when you go to www.whatismyip.com see what you get. Do they all match? I think your default gateaway is different then what the server is have for its internet.
- Scottie_82518Nov 13, 2013NimbostratusI got things to ping when I remove my SNAT rule for the servers. The F5 is our default gateway for all the servers. When the SNAT rule for internet access is enable the traffic attempts to route to the internet instead of being protected. When I remove the SNAT the VPN tunnel works, but of course the internet dies. I'm thinking I may have to do an Irule. I'll keep you posted.
- mr_evil_116524Nov 13, 2013NimbostratusHi Scottie, Looking like you are doing exactly the same setting as I have done with our F5. Here if what you can do You can create Forwarding VIPs for IPSEC traffics only and created another VIP for your internet with SNAT. So at the end of the day you should have 3 VIP with respective names. Hope this help.
- mr_evil_116524Nov 13, 2013NimbostratusThe 3rd VIP should be with S 0.0.0.0/0 and DES : 0.0.0.0/0 with SNAT
- boneyardNov 24, 2013MVPcan you explain this whole virtual server part a little more? in the documentation they only mention one virtual server, why is there need for more and how exactly are these used?
- mr_evil_116524Dec 08, 2013NimbostratusHi There, You have to realize that with F5 you need to create a listener which mean you will need to create VIP. And you will need to have two of them as from your end and other coming from other end. VIP work as a listener, you can also restrict port you want to allow and so forth. Hope this explains.