You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP system to another. With this implementation, you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configure the IPsec protocol for Transport mode and dynamic security negotiation, using a custom IPsec policy.
The way to dynamically negotiate security parameters is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two agents, or peers, open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.
Once Phase 1 is complete and the secure channel has been established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.
Transport mode causes the IPsec protocol to encrypt only the payload of an IP packet. The protocol then encloses the encrypted payload in a normal IP packet. Traffic sent in Transport mode is less secure than traffic sent in Tunnel mode, because the IP header in each packet is not encrypted.
The IPsec protocol suite on the BIG-IP system consists of these configuration components:
With this task, you can configure the IPsec and IKE protocols to secure traffic that traverses a wide area network (WAN), such as from one data center to another. This procedure configures IKE to establish a secure channel, and configures IPsec in Transport mode.
To set up this configuration, you must verify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.
Before you begin configuring IPsec and IKE, verify that these modules and BIG-IP system objects exist on the BIG-IP system in each data center:
Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies the other BIG-IP system that the system you are configuring communicates with during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems.
|The default values||The default authentication method is RSA signature.
Important: If you have your own certificate file, key file, and certificate authority (CA), it is recommended for security purposes that you specify these files, using the Certificate, Key, and Trusted Certificate Authorities settings.
|The authentication method Preshared Key.||This allows you to type a preshared key for use as the authentication method.|
Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
|System Name||Source IP Address|
|System Name||Destination IP Address|
To summarize, you now have the following IPsec configuration on this BIG-IP system, for both inbound and outbound traffic.