F5 3900 LTM and outbound ipsec problem

Hi all,

I have some troubles with the configuration of IPSEC tunnels with our BigIP 3900 LTM (v11 HF2).

Setup:

Lan1 <-> Firewall <-> Internet <-> F5 LTM 3900 <-> internal Lan <-> Firewall <-> LAN2

I managed to connect two different Firewalls with the BigIP and the tunnel is working fine when the the traffic is initiated from Lan1. When I try to initiate an connection from Lan2 to Lan1 the BigIP doesn't establish an IPsec tunnel.

The IPsec - Traffic Selector configuration should be fine, but it seems that it's not routing the traffic through the IPsec tunnel.

Source IP Address: LAN2

Destination IP Address: LAN1

All Ports and Protocols enabled

Direction: Both

Action: Protect

No Nat on Firewall

Any idea?

Thx,

Daniel

config

design

7 Replies

Cholito_15468
Nimbostratus
Sep 26, 2012
HI dankopfe you have two virtual server.

1 VS (PublicIP) port 0 Performance L4 VLAN interna

2 VS (PublicIP) port 500 Performance L4 VLAN interna
Daniel_Kopfenst
Nimbostratus
Sep 26, 2012
Hi Cholito,

have just 1 VS (Forwarding IP - fastL4) listening on all ports and protocols and also vlans (internal and external should be enough, but I will harden it afterwards, once I managed to get outgoing IPsec working.

Basically I followed that howto:

Manual Chapter:Configuring IPsec between a BIG-IP System and a Third-Party Device

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/11.html?sr=24146242
Daniel_Kopfenst
Nimbostratus
Sep 26, 2012
double post
Cholito_15468
Nimbostratus
Sep 26, 2012
very nice
Techgeeeg
Nimbostratus
Sep 30, 2012
Hi,

So did u managed to make it work or still facing problem... ???
marco_octavian_
Nimbostratus
Jul 14, 2014
I have a similar config working. Outbound is fine, actually two-way communication is just fine. As stated in my other post, 11.4 gave me issues but 11.5.1 is fine.

I actually have my LTM behind a Cisco router 2821 performing nat out of my home lab connecting via IPsec to my work office. local_lan LTM <-> 2821 (internet) 2901 <-> local_lan

The local_lan is also where my pool members reside. I just used a Laptop with static routes to test but it is working fine.

Does phase 2 look good on both ends? Check the acl/rulebase/policy on the firewall? What kind of firewall is it?
A_Shack_161373
Nimbostratus
Mar 11, 2015
Has anyone managed to get this working? I am having the same issue (ipsec pass-through)

Forum Discussion

F5 3900 LTM and outbound ipsec problem

7 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Passthrough IPSec with AFM

Bgp inside ipsec tunnel

BIG-IP to Azure Dynamic IPsec Tunneling