You can configure an IPsec tunnel when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP system to another. Typically, you would use the Internet Key Exchange (IKE) protocol to negotiate the secure channel between the two systems. If you choose not to use IKE, you must create manual security associations for IPsec security. A manual security association statically defines the specific attribute values that IPsec should use for the authentication and encryption of data flowing through the tunnel.
The implementation of the IPsec protocol suite with a manual security association consists of these components:
Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.
You can configure an IPsec tunnel to secure traffic that traverses a wide area network (WAN), such as from one data center to another.
Before you begin configuring IPsec, verify that these modules, system objects, and connectivity exist on the BIG-IP systems in both the local and remote locations:
|System Name||Traffic Direction||Tunnel Local Address|
|System Name||Traffic Direction||Tunnel Remote Address|
After you have manually configured security associations for an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.