Establishing IPsec between F5 Big-IP and Juniper

Good day,

I was trying to configure IPsec between our equipment (F5 Big-IP) and the other (Juniper) from our client. However, I can't seem to connect the 2. I'm using the IPsec Diagnostics as an indicator if the Traffic Selector was able to pass incoming and outgoing request. Unfortunately, I can't seem to have an Up tunnel state.

Attached is my configuration on our end of the IPsec. (We don't have any control or jurisdiction as to how to configure the Juniper device)

The goal is to let the 2 end users communicate with each other. Our clients wants to only allow an point to point connection which restricts us from using the whole IP block where each specific IP address belongs to.

Attached is the Network Diagram:

Also here is the Traffic Selector used for the IPsec:

A forwarding virtual server was also created with the following configuration:

I would appreciate your help guys, since this is a time sensitive task. Thanks in advance.

application delivery

BIG-IP

9 Replies

Philippe_Page_2
Cirrus
Oct 17, 2016
IainThomson85_1
Cumulonimbus
Oct 17, 2016
First we'll need to know where is it failing.

Do you have any kind of traffic captures that prove Layer 2/3 connectivity end to end ?
Philippe_Page_2
Cirrus
Oct 17, 2016
From our end (10.4.4.101) we can ping the F5 Big IP gateway, also the management IP of the Juniper device and the other end device. However, I'm not sure if im pinging the correct device since when I check the IPsec Diagnostic on F5, it shows that the tunnel selector is Down.

I also had the experience to establish IPsec between 2 F5 Big IP equipments connecting two end points using inter VLAN on 2 different data center, but I still have little knowledge as to how to troubleshoot this certain scenarios since it's new to me. I just copied the working IPsec (IPsec between 2 F5 equipments) and applied it to this situation. Thank your for responding.
ekaleido_26616
Cirrocumulus
Oct 17, 2016
If your source is really a 10. you will need to enable NAT Traversal. I suspect your peer does not route rfc1918 space back to you via an IPSec tunnel.
- Philippe_Page_2
  Cirrus
  Oct 18, 2016
  We enabled SNAT on the VLAN where the 10.4.4.101 IP is located. If that's the case, i'll try to inform the other end if they're configured with rfc1918. Any other suspicions as to why IPsec won't establish between the 2 devices?
- Philippe_Page_2
  Cirrus
  Oct 18, 2016
  I can't see the other end when issuing the command racoonctl -l show-sa isakmp and racoonctl -l1 show-sa internal
ekaleido
Cirrus
Oct 17, 2016
If your source is really a 10. you will need to enable NAT Traversal. I suspect your peer does not route rfc1918 space back to you via an IPSec tunnel.
- Philippe_Page_2
  Cirrus
  Oct 18, 2016
  We enabled SNAT on the VLAN where the 10.4.4.101 IP is located. If that's the case, i'll try to inform the other end if they're configured with rfc1918. Any other suspicions as to why IPsec won't establish between the 2 devices?
- Philippe_Page_2
  Cirrus
  Oct 18, 2016
  I can't see the other end when issuing the command racoonctl -l show-sa isakmp and racoonctl -l1 show-sa internal

Forum Discussion

Establishing IPsec between F5 Big-IP and Juniper

9 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

Re: Using Terraform and Volterra to establish secure connectivity between clouds

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

Does F5 DNS Supports Juniper Lightweight LB?

ADFS WAP servers failed to establish trust with ADFS 2019 servers using internal vip

Moving from Juniper to F5