Manual Chapter : Encrypting Application Traffic with iSession

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Encrypting application traffic with iSession

You can use either SSL or IPsec to encrypt application data traffic through a secured iSession connection, depending on how you configure symmetric optimization.

  • If you are using IPsec, you specify IPsec encapsulation of the data traffic. After the trust relationship is established between the iSession endpoints, the data traffic is encapsulated, regardless of the application.
  • If you are using SSL, you specify WAN encryption on a per-application basis when you create an iApps template for that application. If you manually create an optimized application virtual server for outbound iSession traffic, ensure that you associate an iSession profile that has encryption enabled.
Note: Selecting IPsec encapsulation supersedes any per-application SSL data encryption settings.

Task summary for encrypting application traffic using IPsec

Before you begin encrypting application traffic, you must secure the iSession endpoints using SSL.

After the iSession connection is secure, the easiest and quickest method of configuring application data encryption using IPsec is on the Quick Start screen.

Note: For this implementation, creating a custom policy is an optional task.

Task list

Encrypting application traffic using IPsec on the Quick Start screen

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP system that is provisioned for acceleration.
You complete this task to encrypt application traffic over an iSession connection using IPsec.
  1. On the Main tab, click Acceleration > Quick Start > Symmetric Properties.
  2. In the IP Encapsulation area, select IPsec from the IP Encapsulation Type list. Example of IPsec selection from IP Encapsulation Type list The screen refreshes and displays the IPSEC Policy field.
  3. From the IPSEC Policy list select an IPsec policy. You can use the pre-defined default policy default-ipsec-policy-isession, or create a custom policy, which the system adds to the list.
  4. Click Apply.
Application traffic is now encrypted over the iSession connection using IPsec, according to the settings in the selected IPsec policy.

Creating a custom IPsec policy for iSession traffic

You can create a custom IPsec policy for iSession traffic if you want settings that are different from the default values. For example, you might want to specify a different authentication algorithm or Diffie-Hellman group for IKE phase 2 negotiations.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. From the Mode list, select iSession Using Tunnel.
  5. From the Authentication Algorithm list, select an algorithm. These are the possible values:
    • SHA-1
    • AES-GMC128
    • AES-GMC192
    • AES-GMC256
    • AES-GMAC128
    • AES-GMAC192
    • AES-GMAC256
  6. From the Perfect Forward Secrecy list, select a Diffie-Hellman group. These are the possible values:
    • MODP768
    • MODP1024
    • MODP1536
    • MODP2048
    • MODP3072
    • MODP4096
    • MODP6144
    • MODP8192
  7. For the IPComp setting, do one of the following:
    • Retain the default value None, if you do not want to enable packet-level compression before encryption.
    • Select DEFLATE to enable packet-level compression before encryption.
  8. Click Finished. The screen refreshes and displays the new IPsec policy in the list.
For a custom IPsec policy to take effect, you must apply it to the iSession endpoints. You can select it on the Quick Start screen or the Local Endpoint screen. The selected policy settings must be the same on both endpoints of an iSession connection.