Forum Discussion
mr_evil_116524
Nimbostratus
This how is now fixed.
After spending some time with f5 support we found the issue and resolved it.
For future reference users can follow the guide http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-1/14.html to setup IPSEC tunnel either between F5s or any 3rd party hardware firewall.
mr_evil_116524
Nov 12, 2013Nimbostratus
Man this was a mission to get this working, to be honest it was very simple.... now that I have what 3 different IPSEC.
I take it you have created Peer list, Traffic Selector List and IPsec Policy List? Have you also created forwarding VIPs? You should have two forwarding VIPs one for IN and other for Out.
DO NOTE that when you are in Traffic Selector List do no specify any port just allow all ports you will control ports at VIP level
Let me explain VIPs.
Say your F5 A have internal IP with 192.168.0.0/20 and F5 B have 10.10.0.0/20, you create one VIP where the source is 192.168.0.0/20 and dest is 10.10.0.0/20 and you crated another VIP where source is 10.10.0.0/20 and dest is 1192.168.0.0/20, all these VIPS will be forwarding VIPs. Allow *All Ports. and *All Protocols. (for testing of course)
once you have all these in place I could suggest you try to ping from site a to site b and at the same time go to your site a F5 and run the following command tcpdump -nni 0.0 host and icmp - this will tell you what VIP it is using.
Let me know how to go with this.