Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Nov 24, 2013

IPSec with BIG-IP as end point questions

it is good F5 decided to support this a while ago, but the documentation could be a little better. now it is some general remarks and then one example.

 

my main question is about the "forwarding virtual server for IPsec". in the example this is created as a virtual server that pretty much picks up all traffic on all VLANs (and tunnels). is that really needed? can't it be configured less extreme, if so what is needed.

 

next to that there is reference to "The default VLANs" internal and external, are those as such required? wont it work with other names?

 

in some of the guide the need for self IPs disappears and only management is needed, can you use the management IPs as the end point IP, or must it be a self IP?

 

and nowhere i can find anything about IPSec in a cluster environment. anything to keep in mind?

 

APM
BIG-IP
design
ipsec
security

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 25, 2013

    Hey Boneyard. I've no experience with this but I can say with certainty that it will work with other VLANs and names at least.

     

    I've had a quick look through the guide. From what I can tell you cannot use the management IP address and it must be a self IP address.

     

    I think you could configure the Forwarding VS as something other than : but you'd need to do this carefully. Perhaps just use the remote network subnet for instance. Obviously it's the Traffic Selector that defines what actually passes through the tunnel.

     

    Cluster wise, I can't test in any way but if the IPsec configuration syncs between devices and you can use a floating self IP then you've some level of redundancy but I'd assume the tunnels would be deleted and recreated on a failover.

     

  • NZ_David_20489's avatar
    NZ_David_20489
    Icon for Nimbostratus rankNimbostratus
    May 06, 2014

    Can the IPSEC endpoint be a floating Self IP or does it have to be a self-IP of one unit?

     

  • NZ_David_20489's avatar
    NZ_David_20489
    Icon for Nimbostratus rankNimbostratus
    May 30, 2014

    IPSEC endpoint can be a floating IP address, however if there is a failover it is not seamless.