Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/19.html It says that the Virtual Server will have 0.0.0.0 IP address, and listening on All ports. My question is: If I configure that on the external VLAN of my F5 where I have more VSs on that VLAN, Will not that "All-the-IPs" [0.0.0.0] gobble up any traffic coming in to the F5 from the front end? What about replies to ARP? will it not mess up any ARP request, replying with ARP saying the F5 is what other server means to be?

I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications. It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions. In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs. Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.

I am absolutely agree with the security concerns of using a Wildcard VS and listening on all ports, but it is F5 who published it officially in their deployment guide: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-13-1-0/10.htmlguid-4a5c2cee-039b-489f-9d78-3e0708491c67 Is there any light guide of how to do it with specific VSs, listening on specific IP Addresses, what port or range of ports will be needed? where to configure those VSs [frontend, backend]?

Getting a solution working with a wide open Virtual Server is a reasonable plan as a first step in working on the configuration, but after implementation is shown to work, the Virtual Server could be locked down to match traffic-selectors as tightly as possible. Outside of matching the inner (private) IPsec traffic, a wildcard Virtual Server may be handling completely unexpected types of traffic, unrelated to the IPsec traffic. Here's a config example of configuring two BIG-IPs, each with two Virtual Servers for one specific tunnel. Assume the tunnel is between 10.20.131.0/24 <-> 10.10.131.0/24. bigip1 tmsh create ltm virtual ipsec-131-encap { destination 10.20.131.0:any ip-forward mask 255.255.255.0 source 10.10.131.0/24 profiles add { fastL4 { } } vlans add { vlan_internal } vlans-enabled } bigip2 tmsh create ltm virtual ipsec-131-decap { destination 10.20.131.0:any ip-forward mask 255.255.255.0 source 10.10.131.0/24 profiles add { fastL4 { } } vlans add { vlan_external } vlans-enabled } At this point note, if a flow was initiated by the host on bigip2 to the host on bigip1, the connection would not work. On bigip2, the flow will not match any existing connection and there is no Virtual Server listening to this traffic 10.20.131.1 -> 10.10.131.1. So it is necessary to make a second Virtual Server on both BIG-IP devices to facilitate two-way traffic initiation. bigip1 tmsh create ltm virtual ipsec-131-decap { destination 10.10.131.0:any ip-forward mask 255.255.255.0 source 10.20.131.0/24 profiles add { fastL4 { } } vlans add { vlan_external } vlans-enabled } bigip2: Add encapsulating-side side Virtual Server bigip2 tmsh create ltm virtual ipsec-131-encap { destination 10.10.131.0:any ip-forward mask 255.255.255.0 source 10.20.131.0/24 profiles add { fastL4 { } } vlans add { vlan1555 } vlans-enabled } One final note, not all types of virtual servers and not all types of profiles will work for IPsec traffic. Stick with the ip-forward.

On "IPsec traffic selector", I have three local Networks like: 10.15.93.0/24, 10.15.60.0/24 and 10.15.87.0/24 on the "Source IP Address or CIDR" but just one on the "Destination IP Address or CIDR" That means three traffic selectors or can I combine all the source IP Addresses in one line and one traffic selector? The default value for Order setting is "Last" on the F5, but "First" on the F5 deployment guide, How to marry them up?

You could create a "10.15.0.0/16" <-> "remote net" selector, or three separate ones if you wish. The Virtual Server approach would be the same. The "order" parameter no longer has any meaning, so it doesn't matter what you put there. You could probably use a /17 netmask if you wanted to be really clever. $ ipcalc 10.15.0.0/17 Address: 10.15.0.0 00001010.00001111.0 0000000.00000000 Netmask: 255.255.128.0 = 17 11111111.11111111.1 0000000.00000000 Wildcard: 0.0.127.255 00000000.00000000.0 1111111.11111111 => Network: 10.15.0.0/17 00001010.00001111.0 0000000.00000000 HostMin: 10.15.0.1 00001010.00001111.0 0000000.00000001 HostMax: 10.15.127.254 00001010.00001111.0 1111111.11111110 Broadcast: 10.15.127.255 00001010.00001111.0 1111111.11111111 Hosts/Net: 32766 Class A, Private Internet

IPSec on F5-Cisco | DevCentral

11 Replies

zeiss_63263
Historic F5 Account
Jul 18, 2018
I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.

It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.

In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.

Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.
- a_basharat
  Nimbostratus
  Jul 19, 2018
  I am absolutely agree with the security concerns of using a Wildcard VS and listening on all ports, but it is F5 who published it officially in their deployment guide: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-13-1-0/10.htmlguid-4a5c2cee-039b-489f-9d78-3e0708491c67
  
  Is there any light guide of how to do it with specific VSs, listening on specific IP Addresses, what port or range of ports will be needed? where to configure those VSs [frontend, backend]?
- zeiss_63263
  Historic F5 Account
  Jul 19, 2018
  Getting a solution working with a wide open Virtual Server is a reasonable plan as a first step in working on the configuration, but after implementation is shown to work, the Virtual Server could be locked down to match traffic-selectors as tightly as possible. Outside of matching the inner (private) IPsec traffic, a wildcard Virtual Server may be handling completely unexpected types of traffic, unrelated to the IPsec traffic.
  
  Here's a config example of configuring two BIG-IPs, each with two Virtual Servers for one specific tunnel. Assume the tunnel is between 10.20.131.0/24 <-> 10.10.131.0/24.
  
  bigip1
  
  tmsh create ltm virtual ipsec-131-encap { destination 10.20.131.0:any ip-forward mask 255.255.255.0 source 10.10.131.0/24 profiles add { fastL4 { } } vlans add { vlan_internal } vlans-enabled }
  
  bigip2
  
  tmsh create ltm virtual ipsec-131-decap { destination 10.20.131.0:any ip-forward mask 255.255.255.0 source 10.10.131.0/24 profiles add { fastL4 { } } vlans add { vlan_external } vlans-enabled }
  
  At this point note, if a flow was initiated by the host on bigip2 to the host on bigip1, the connection would not work. On bigip2, the flow will not match any existing connection and there is no Virtual Server listening to this traffic 10.20.131.1 -> 10.10.131.1. So it is necessary to make a second Virtual Server on both BIG-IP devices to facilitate two-way traffic initiation.
  
  bigip1
  
  tmsh create ltm virtual ipsec-131-decap { destination 10.10.131.0:any ip-forward mask 255.255.255.0 source 10.20.131.0/24 profiles add { fastL4 { } } vlans add { vlan_external } vlans-enabled } bigip2: Add encapsulating-side side Virtual Server
  
  bigip2
  
  tmsh create ltm virtual ipsec-131-encap { destination 10.10.131.0:any ip-forward mask 255.255.255.0 source 10.20.131.0/24 profiles add { fastL4 { } } vlans add { vlan1555 } vlans-enabled }
  
  One final note, not all types of virtual servers and not all types of profiles will work for IPsec traffic. Stick with the ip-forward.
- a_basharat
  Nimbostratus
  Jul 19, 2018
  On "IPsec traffic selector", I have three local Networks like:
  
  10.15.93.0/24, 10.15.60.0/24 and 10.15.87.0/24 on the "Source IP Address or CIDR" but just one on the "Destination IP Address or CIDR"
  
  That means three traffic selectors or can I combine all the source IP Addresses in one line and one traffic selector?
  
  The default value for Order setting is "Last" on the F5, but "First" on the F5 deployment guide, How to marry them up?

Forum Discussion

IPSec on F5-Cisco

11 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Unify Visibility with F5 ACI ServiceCenter in Cisco ACI and F5 BIG-IP Deployments

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Understanding IPSec IKEv2 negotiation on Wireshark