Forum Discussion

Ricardo_Raza_14's avatar
Ricardo_Raza_14
Icon for Nimbostratus rankNimbostratus
Apr 02, 2018

How can I do a IPSEC VPN

Hi, I need to do a VPN between F5 and CISCO ASA, I read some articles but in this said that I need to create a vs wildcard, but I have in the same device a ISP load balancing, which considerations I need to do.

 

I have a GTM and LTM modules

 

18 Replies

  • How many ISPs you have? Do F5 has different IPs for each ISP? Private/Public? Do you want to use all ISPs for VPN? Do you want to want the VPN to be able to start from both sides?

     

  • Hi I ran into this situation, but I couldn't make it work. So I have to use a firewall behind the F5 as a peer. If you achieve the vpn please share your feedback.

     

  • zeiss_63263's avatar
    zeiss_63263
    Historic F5 Account

    In principle, the BIG-IP will interoperate with ASA devices running current ASA software and a current TMOS versions. It is frequently done in fact, but requires patience and sometimes assistance from F5 Support. IPsec is hard to wrap your head around.

     

    Both IKEv1 and IKEv2 are supported when bringing up BIG-IP tunnels to an ASA, although you really do want to be running the latest version of 13.1. For an ASA interop, right now I'd recommend starting with IKEv1. Disclaimer: Most vendor specific Vendor IDs are not supported by the BIG-IP.

     

    Unless you're configuring a BIG-IP in the Cloud (Azure/AWS/Google) then I recommend you configure your IPsec Policy (net ipsec ipsec-policy) to use "Tunnel" mode. Do not use "Interface" mode, it is more complex to configure and is useful only for very specific solutions. From the ASA's perspective it won't have a clue whether you've selected Interface or Tunnel mode and it is not part of the ISAKMP negotiation (tunnel setup).

     

    Following a guide like this should be fine: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-5-0/17.html

     

    It takes the assumption that you are configuring two BIG-IPs as peers, so just pretend that "BIG-IP B" is the ASA!

     

    That manual chapter is missing one important point. If you don't have a default route, or you have multiple gateways, you need to configure a static route for (1) the next-hop to the remote peer's public IP and (2) the next-hop to the remote peer's private network. If I recall correctly, the ASA has a similar requirement. The next-hop IP for both route (1) and (2) will be the same IP. Yes, you read me right, tell the BIG-IP that the route to the private network is via your ISP next-hop.

     

    Don't forget that if either side is behind a NAT, then enable NAT detection.

     

    • Ricardo_Raza_14's avatar
      Ricardo_Raza_14
      Icon for Nimbostratus rankNimbostratus

      Hi, I did the actions that you advise me but the vpn stablished in all of phases but I can't do aping between network connection, and I don't know how I need to encapsulated this traffic through vpn

       

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      I recommend that you do not try pinging from the BIG-IP, in case that's what you are trying. PING from a host that is inside the local private network to the remote private network. In other words, the PING must be between two hosts that have IPs covered by a traffic-selector (tmsh list net ipsec traffic-selector).

       

      If you are pinging between two real hosts, then make sure that you have a Virtual Server that allows ICMP. If you have a wildcard (0.0.0.0:*) Virtual Server, then that will handle the traffic. There must be some Virtual Server that handles the private traffic, just like any other traffic. The Virtual Server needs to listen on at least the internal VLAN so that connections to the remote can be established from the BIG-IP side. If such a Virtual Server doesn't listen on the external VLAN then new connections coming from the remote (over IPsec) cannot be established. Remember that a Virtual Server configured to listen for a specific destination might not match both directions of a traffic-selector. Therefore you might find that you can only establish connections from the BIG-IP side but not establish connections from the remote side.

       

      Note: The Virtual Server does not handle IPsec or ISAKMP, only the private traffic.

       

      A few troubleshooting ideas:

       

      • Check that your Virtual Server(s) match the private traffic.
      • Double check that you have at least a default gateway, per what I wrote earlier.
      • You can tcpdump traffic on the BIG-IP of course, to see whether the inbound (PING) traffic is matching your selectors and look for ESP packets.
      • Use "tmsh show net ipsec traffic-selector" to see whether there are any packet counters on the traffic-selectors either IN or OUT.
      • In "tmsh show net ipsec ipsec-sa" you should see the SAs as being "mature" and not "larval" for example.
    • Ricardo_Raza_14's avatar
      Ricardo_Raza_14
      Icon for Nimbostratus rankNimbostratus

      Hi really is not clear for me when I execute the command "tmsh show net ipsec ipsec-sa" show me the SAs as being "mature", but is not clear the part os the VS, i have to do a special VS for the tunnel?

       

      In the private side behind F5 I have the net 10.111.0.0/24 and in the other side behind a firewal I have a 10.0.8.0/24, and I have only have vs for forwarding the traffic.

       

      About the ping when I try to do not stablish the tunnel because the tracert show me steps betwween internet and public IPs and not show me only the IPs of tunnel.

       

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      The first screenshot indicates mature SAs and most importantly you have bytes registered on both the IN and OUT selector. Mature SAs means that the IPsec tunnel is up. Bytes on the IN and OUT SAs means that you even have bi-directional traffic happening over the tunnel.

       

      The second screenshot appears to have output from the racoon log at the top of the screen indicating that the IPsec-SA is established in both directions. This also supports the idea that the IPsec tunnel is up.

       

      The third screenshot is just a repeat of the second I think.

       

      From what I see, the problem is not to do with the tunnel itself because the tunnel is up and handling packets in both directions. Do you have AFM configured? AFM or packet filtering may be in the way. It's difficult for me to guess what could be going wrong, but you really need to look at tcpdump on the BIG-IP to look at the private flows and verify whether the BIG-IP is forwarding the private packets off the tunnel.

       

      Try a tcpdump filter similar to this:

       

      tcpdump -nni 0.0 net 10.0.8.0/24 and net 10.111.0.0/24

       

      That looks for any packets that match the selectors. Anything that matches this filter must be put into, or come out of the IPsec tunnel (according to your selector description earlier).

       

    • Ricardo_Raza_14's avatar
      Ricardo_Raza_14
      Icon for Nimbostratus rankNimbostratus

      Ok, really thanks for your answer was very helpfull for me, but I don't have any AFM configured in the device only the LTM and DNS modules, Now we are working with 2 cisco ASAS, but in one side we change the ASA to F5; I try to check with the tcpdump to review the logs.

       

  • Ok, thansk for your help, only one thing I don't know if I have a missconfiguration about the how can do that the private remote network be reachable from my device, this part is only with the traffic selectors where I share all the address or I need to do something about routes, or any other configuration, because I am thinking about the problem and I suppose that if I put the route to the link of my isp I put out the networks from my vpn.

     

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      if I put the route to the link of my isp I put out the networks from my vpn

       

      That won't happen if the selectors are in place. If the traffic-selector does not match the private traffic then yes, it would be routed out to the internet. If the tunnel is down and the packets match the selector, then the BIG-IP will try to establish the tunnel and even if the tunnel fails to start the packets will not be routed out the internet.

       

      You mentioned earlier that you had a gateway pool and I think there could be a problem there if you're trying to use the pool. Like I say, it's too complicated to give specific advice without asking for data that you should not publish here, hence my recommendation to contact a partner or F5 support for analysis.

       

    • Ricardo_Raza_14's avatar
      Ricardo_Raza_14
      Icon for Nimbostratus rankNimbostratus

      Ok, was very helpfull your answer, and yes I have a pool gateway because I need to load balancing 3 ISPs, but in the case of the vpn I create a specefic route to the destination through one ISP.

       

      Here I have another question, is possible that in my slefIP configure 190.x.x.2 my gateway is 190.x.x.1, Is possible that use the same self IP to surfing in the internet and with the same stablish a VPN?

       

      Regards

       

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      Using 190.x.x.2 as the IPsec local IP for the IPsec tunnel does not prevent you from using the IP for other purposes (like default internet access). It's okay.

       

      Also, you can use a local self IP or a floating self IP.