When you configure an iSession connection using the Quick Start screen,
you can specify IPsec encapsulation for outbound iSession traffic. If you select IPsec, the BIG-IP system also encrypts the TCP traffic for the applications you select
when you create iApps templates for optimizing applications.
If you also want to send secured and encrypted non-TCP traffic, you can create a forwarding
virtual server that uses the iSession routing to send all IP traffic not matched by other virtual
servers through the IPsec tunnel. To accelerate the traffic, you can add IP Payload Compression
Protocol (IPComp) to the IPsec tunnel. You would choose IPComp when you expect a great deal of
compressible non-TCP traffic.
Note: NAT traversal is not supported with iSession routing. For NAT traversal, you
must configure a separate IPsec tunnel, and then route the IP traffic through the tunnel.
Creating a virtual server for all IP iSession traffic
Before you create the virtual server, ensure that you have selected
IPsec for the IP Encapsulation Type
setting on the Quick Start screen or the Symmetric Optimization Local Endpoint screen,
and chosen an IPsec policy. You can use the pre-defined default policy
default-ipsec-policy-isession, or create a custom policy, for
example, to compress all IP traffic that does not match another virtual server.
If you are using IPsec to encrypt iSession traffic, you can
create a forwarding virtual server to send all IP traffic through the IPsec tunnel.
Creating the virtual server avoids the need for any special routing for non-TCP traffic,
such as UDP and ICMP.
On the Main tab, click
Click the Create button.
Type a unique name for the virtual server, such as
For the Type setting, select Forwarding
(IP) from the list.
In the Destination Address field, type an IP address in
The supported format is address/prefix, where the prefix length is in bits.
For example, to select all IP addresses, an IPv4 address/prefix is
0.0.0.0/0, and an IPv6 address/prefix is
::/0. To specify a network, an IPv4 address/prefix is
10.07.0.0 or 10.07.0.0/24, and
an IPv6 address/prefix is ffe1::/64 or
2001:ed8:77b5::/64. When you use an IPv4 address
without specifying a prefix, the BIG-IP system
automatically uses a /32 prefix.
best results, F5 recommends that you enter the subnet
that matches your destination server network.
In the Service Port field, type *
or select * All Ports from the list.
In the Configuration area of the screen, from the
Protocol list, select *All
In the Acceleration area of the screen, from the iSession
Profile list, select an iSession profile.
Note: This setting is available only if you have licensed and
provisioned the Application Acceleration Manager (AAM) product.
The completed screen looks similar to the following example.
Example of a completed virtual server screen for non-TCP iSession traffic,
with destination subnet specified