Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL Layer2 bridge in F5

Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer3 IP?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

And if i want to create a layer2 transparent between routing devices how i can do that ?

Sure, and you have a few options.

In the first and third options, F5 is still a full proxy, but the nexthop allows it to mirror L2 headers on both sides. But perhaps the most robust option would be to deploy SSL Orchestrator, which would configure and L2 solution for you.

0
Comments on this Answer
Comment made 5 months ago by igorzhuk 69

in all these options I can do low ciphers to server side? I Have I7800 in VCMP I want to add new Guest I vcmp for to do SSL bridge between client and server side and configured low ciphers to server side

now we have 12.1.2 but in few weeks we migrate to 13.1.1 what the best why for me i think is a transparent nexthop yes ?

0
Comment made 5 months ago by Kevin Stewart

Virtual Wire doesn't work in a vCMP guest, so that option is out. So transparent nexthop is probably you're best bet when you get to 13.0, and the above link shows you how to set it up with an inspection device in the middle. This also assumes that the F5 is doing explicit decryption and re-encryption, and can therefore manage the TLS properties on each side.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.

To do layer 3 (routed) mode without changing the IP addresses,

  • Create a wildcard VIP (0.0.0.0/0:443)
  • Disable address translation in the VIP
  • Don't use SNAT in the VIP

You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.

It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.

0
Comments on this Answer
Comment made 5 months ago by igorzhuk 69

And if i want to create a layer2 transparent between routing devices how i can do that ?

0
Comment made 4 months ago by igorzhuk 69

Hi Kevin, I need to f5 will be between two routers or security device and will did SSL bridge for client side F5 will be with DH Ciphers for clients side and without DH Ciphers to servers side i need only create a vlangorup with VS in 0.0.0.0 for foward and vs 0.0.0.0:443 with ssl profiles yes ?

have any KB or Instructions how configure it ?

0
Comment made 4 months ago by Kevin Stewart

You said earlier that you were using an i7800 vCMP guest, in which case Virtual Wire won't work. The Transparent Nexthop option made available in 13.1 requires either SSLO, DHD or AFM.

The alternative for a "pseudo" L2 mode is an iRule:

when FLOW_INIT {
    set this_conn [DATAGRAM::l2 dest]
}
when CLIENT_ACCEPTED {
    nexthop external-vlan ${this_conn}
}

where "external-vlan" is the name of your outbound VLAN. This would only work in one direction, so you'd need separate inbound and outbound VIPs if you needed bidirectional traffic. The iRule, which requires 13.1, essentially grabs the destination MAC address from the client side and inserts it into the server side connection. The VIP would be a simple wildcard 0.0.0.0/0:0 with address and port translation disabled.

As for handling SSL, just use normal client and server SSL profiles. They can have separate properties, so you could have a client SSL profile that supports DH ciphers, and a server SSL profile that doesn't.

0
Comment made 4 months ago by igorzhuk 69

if I will configure that I need to change routing? for example, now I have a router and IPS I need deploy that between 2 devices I need to change the routing?

0
Comment made 4 months ago by Kevin Stewart

No, you're still going to create a VLAN group in this configuration. The VLAN group is there to create a (switched) path for ARP and routing protocols, and the wildcard TCP VIP is there to catch TCP traffic. The TCP wildcard VIP listens on all IPs, and port 443, with address and port translation disabled, and the above iRule catches the source-side destination MAC and inserts it into the server-side packets to create a "pseudo" layer 2 environment.

You'll also need the following DB value to allow traffic to flow to a TCP VIP in the presence of a VLAN group:

tmsh modify sys db vlangroup.forwarding.override value disable
0