Need Help : Setting up IPSEC between two big-IPs

Question

Hello All,&nbsp;
 &nbsp;
I am trying to setup IPSEC between two big-IPs and I have followed the following documentation reading IPSEC with big-IP:&nbsp;
 &nbsp;
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/10.html&nbsp;
 &nbsp;
But it doesnt seem to work, I cannot see anything in the racoon logs also I have trid the following commands:&nbsp;
 &nbsp;
racoonctl -l show-sa isakmp , racoonctl -ll show-sa internal, racoonctl -l show-sa ipsec , tmsh show net ipsec-stat DOESNT not display anything which means IPSEC is not up. I have also tried to put the logs to debug by doing the following tmsh modify net ipsec ike-daemon ikedaemon log-level debug2 still doesnt no reveal anything unsual that I can see.&nbsp;
 &nbsp;
Also note that I have tried IPSEC in two different mood, tunnel and transport none of them seem to work .....&nbsp;
 &nbsp;
Can someone please help me out with this?&nbsp;
Please let me know what you need from to me help me out with this issue .... according to the doc is really simple but it doesnt work.&nbsp;
 &nbsp;
Both big-ips are on 11.3 hf4  firmware.&nbsp;
 &nbsp;
Thanks in advance.&nbsp;

mr_evil_116524 · Answer

This how is now fixed. 
&nbsp; After spending some time with f5 support we found the issue and resolved it. 
&nbsp;  
&nbsp; For future reference users can follow the guide http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-1/14.html to setup IPSEC tunnel either between F5s or any 3rd party hardware firewall.

scottie_cole_13 · Answer

What was the fix on this? I'm having the same problem and still working with support on it.

mr_evil_116524 · Answer

Man this was a mission to get this working, to be honest it was very simple.... now that I have what 3 different IPSEC.

I take it you have created Peer list, Traffic Selector List and IPsec Policy List?  Have you also created forwarding VIPs? You should have two forwarding VIPs one for IN and other for Out.

DO NOTE that when you are in Traffic Selector List do no specify any port just allow all ports you will control ports at VIP level

Let me explain VIPs.

Say your F5 A have internal IP with 192.168.0.0/20 and F5 B have 10.10.0.0/20, you create one VIP where the source is 192.168.0.0/20 and dest is 10.10.0.0/20 and you crated another VIP where source is 10.10.0.0/20 and dest is 1192.168.0.0/20, all these VIPS will be forwarding VIPs. Allow *All Ports. and *All Protocols. (for testing of course)

once you have all these in place I could suggest you try to ping from site a to site b and at the same time go to your site a F5 and run the following command    tcpdump -nni 0.0 host  and icmp  - this will tell you what VIP it is using.

Let me know how to go with this.

scottie_cole_13 · Answer

I finally got the tunnel to come up, but the traffic is still trying to route out to the internet instead of over the IPSec tunnel. Any other ideas?

mr_evil_116524 · Answer

Ya, I had that issue too lol, ok you should check the default gateaway for internet in F5 and check your peer IP that you using to setup the IPSEC are they the same.
Also go to your internal server and check what IP address you get when you go to www.whatismyip.com see what you get. Do they all match?

I think your default  gateaway is different then what the server is have for its internet.

Forum Discussion

Need Help : Setting up IPSEC between two big-IPs

10 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Getting Started with BIG-IP Next: Upgrading Central Manager

Deploying F5 BIG-IP with Azure Cross-region load balancer

Service discovery and registration with BIG-IP