IPSEC VPN through F5

Question

Hello Folks,&nbsp;
Trying to set up routed base IPSEC VPN between F5 and 3rd party(Cisco) device. Was going through document https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-6-0/18.html. have below concerns.&nbsp;
1)L3 Forwarding Virtual Server -&gt; is it required and what should be set at the Destination address ? - is it really a 0.0.0.0 ?  Will this affect our production traffic ?
2)What are the kind of configurations available when creating such tunnel in cluster mode ?
How do we specify this IPSEC tunnel to be in the floating traffic group ?  So that the configuration will be synced to the standby.  Can the standby also establish its individual tunnel to the remote peer ?
3)For the IPSEC tunnel IP,  should we specify using its floating self-IP or its static self-IP ?&nbsp;

In the Local Address field, type the IP address of the BIG-IP system.
4)Any manual intervention required to bring up the tunnel when the unit is failover to standby ?&nbsp;

Regards,
Anoop&nbsp;

tikka_nagi_1315 · Answer

Anoop,&nbsp;
I would recommend you start with this series:
https://www.youtube.com/watch?v=NfVdC9cOjQ0
and let me know if there still answered questions afterward.&nbsp;
thanks,
Tikka&nbsp;

boneyard · Answer

1) you don't need 0.0.0.0/0 but that is the easy example F5 uses in all documentation. if the remote subnet is 10.10.10.0/24 you can use that? you can also filter on source if you want. this virtual server is used to pick up the traffic for the VPN. so you can modify it based on that. as long as you don't have a forwarding virtual server with the same destination you are fine.&nbsp;
2) instead of four almost identical sections in the documentation this would be actually interesting to document. im afraid you will be on your own here. i expect most of the configuration is synced, although, it is networking config ... sorry don't have a cluster available to quickly test. i would set it up with as much use of floating IPs and see if that works out.&nbsp;
3) and 4) see above, try first to make it work on one BIG-IP then check how the failover behaviour is.&nbsp;
PS: could you please change your first post to remove the sudden indentation at the end?&nbsp;

Forum Discussion

IPSEC VPN through F5

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Crafting Secure Paths: The Intricacies of VPN Solutions on BIG-IP APM

Passthrough IPSec with AFM

Bgp inside ipsec tunnel