LTM 13.0 Unable to create IPSec with traffic domain other than 0

Question

Two F5 LTM VE systems. upgraded to 13.0 &nbsp;
The goal is to create IPSec Tunnel when traffic selector is at non-0 Route Domain. IPsec tunnel works(ed) with only route domain 0.&nbsp;
There are:
1. Two interfaces - Untagged, External with Public Self IP and tagged Internal with RFC 1918 Self-IP IP address
2. VLAN on on tagged interface (just one for testing) on both systems created on tagged interface
3. Route domain 0 is associated with Public Self IP/external interface
4. Route domain 1 is associated with Private Self IP/VLAN&nbsp;
It is possible to ping both public IP and private IP for each system in the corresponding networks.&nbsp;
When creating traffic selector end adding %1 (route domain ID) at the end of Source IP address following message is received:&nbsp;
01070734:3: Configuration error: Source address and destination address cannot be in different route domain&nbsp;
When adding %1 both to source and destination IP addresses at the traffic selector, different message is received&nbsp;
01070734:3: Configuration error: Traffic selector (/Common/ZRHPAL_SEL) and IPsec policy (/Common/ZRHPAL_TUN) cannot be in different route domain&nbsp;
We are stuck here. Please help. &nbsp;
It worked without route domains, but we will need to use route domains and VLANs in the deployment.&nbsp;

zeiss_63263 · Answer

Route-Domains + IKEv1 IPsec are now fully supported in 12.0.0. If your IPsec needs to cross route-domains, meaning that the external and internal VLANs in different route-domain, then IPsec "interface mode" is your best option. 
You create the IPsec and tunnel configuration in the /Common partition. Create the route-domains (and/or partitions) with internals VLANs and self IPs. Place the IPsec tunnel (interfaces) into the relevant route domain.&nbsp;

invisible · Answer

Zeiss, I do appreciate your reply. I did open a ticket with F5, C2412087 and after more than a month and testing and checks it was told to me that different route domains will not work for our situation.

kkohegyi_165129 · Answer

Hi,&nbsp;
The “interface” mode IPSec is working between route-domains.&nbsp;
But only one traffic-selector can be associated to IPSec channel so it is unusable if you want to use more encrypted subnets.&nbsp;

boneyard · Answer

thanks for the extra info.&nbsp;

zeiss_63263 · Answer

But only one traffic-selector can be associated to IPsec channel &nbsp;

True.&nbsp;

so it is unusable if you want to use more encrypted subnets.&nbsp;

Not quite true.&nbsp;
Interface mode has an additional hidden option whereby you can tell your BIG-IP to ignore the selector and obey the routing table. This means that you can bring up a tunnel using any old traffic-selector and then control the traffic that goes over the tunnel using dynamic or static routing.&nbsp;
For more information, please take a look at K31553030.&nbsp;

Forum Discussion

LTM 13.0 Unable to create IPSec with traffic domain other than 0

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Geo Fence in ASM through irule for URI

google-visualization-issues

The best load balance method on this scenario?

Related Content

unable create service case in my.f5.com

Create a DevCentral account

Unable to Create UCS files

fellow traffic

Understanding Performance Metrics and Network Traffic