Applies To:

Show Versions Show Versions

Manual Chapter: Configuring IPsec for Transport Mode and Manual Security Association
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Implementation of the IPsec protocol suite

For enhanced security, you can authenticate and encrypt application traffic flowing through a tunnel by using the IP Security (IPsec) protocol. The IPsec protocol secures IP communications by authenticating and encrypting each IP packet of a data stream.

When your network environment does not include the Internet Key Exchange (IKE) protocol, you must create a manual security association for IPsec security. A manual security association statically defines the specific attribute values that IPsec should use when negotiating the authentication and encryption of data flowing through the tunnel.

The implementation of the IPsec protocol suite with a manual security association consists of these components:
IPsec policy
A set of information that defines the specific IPsec protocol to use (Encapsulating Security Protocol, or ESP), as well as the mode (Transport or Tunnel). The definition of the IPsec policy determines the way in which the BIG-IP system manipulates the IP headers in the packets. You can use a default IPsec policy named default-ipsec-policy.
Manual security association
A set of information that the IPsec protocol uses to authenticate and encrypt application traffic.
Traffic selector
A packet filter that defines the source and destination addresses for the application traffic destined for the IPsec tunnel. A traffic selector also references the IPsec policy, to determine the mode and the use of ESP.

Task summary

Implement IPsec with a manual security association configuration to encrypt traffic as it passes through a tunnel, such as an EtherIP or an iSession tunnel. To set up this configuration, you must verify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.

Important: Perform these tasks on the BIG-IP system in both the local data center and the remote data center.

Prerequisites

Before you begin configuring IPsec, verify that these BIG-IP objects and module exist on the BIG-IP system:

A standard virtual server
This virtual server load balances application traffic. This virtual server must reference a profile and a load balancing pool.
The default VLANs
These VLANs are named external and internal.
BIG-IP Global Traffic Manager
This module directs traffic to the correct BIG-IP Local Traffic Manager virtual server.
Task list

Creating a manual IPsec security association

Understand the source and destination IP addresses of the BIG-IP systems that will direct the application traffic.
Use this procedure to create a manual security association. A manual security association is an object you create to specify the security attributes for a given IPsec communication session. These attributes include the specific source and destination IP addresses of the communicating devices, the authentication algorithm, and the encryption algorithm that the IPsec protocol should use. When you create and implement a manual, rather than a dynamic, security association, the peer systems do not need to negotiate these attributes.
  1. On the Main tab,click Network > IPsec > Manual Security Associations.
  2. Click the Create button. The New Security Association page opens.
  3. In the Name field, type a unique name for the policy.
  4. In the Description field, type a brief description of the security setting.
  5. In the SPI field, type a number for the security parameter index.
  6. In the Source Address field, type an IP address.
  7. In the Destination Address field, type an IP address.
  8. In the Authentication Key field, type a key value.
  9. From the Encryption Algorithm list, select an algorithm. You can select 3DES, AES-128, AES-192, or AES-256.
  10. In the Encryption Key field, type a key value.
  11. Click Finished. The page refreshes and displays the new IPsec security association in the list.
You now have an IPsec security association that you can assign to an IPsec policy.

Creating an IPsec traffic selector that uses the default IPsec policy

Use this procedure to create an IPsec traffic selector. A traffic selector filters traffic based on the IP addresses and port numbers that you specify.
Important: Perform this task on each BIG-IP system.
  1. On the Main tab, click Network > IPsec > Traffic Selectors.
  2. Click Create. The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. In the Description field, type a brief description of the traffic selector.
  5. From the Order list, select the order in which you want the traffic selector to be used. Available selections are: First, Last, and Specify. When you choose Specify, you can type a numeral, such as 2.
  6. For the Source IP Address setting, click a type of address. You can click Any, Host, or Network. If you click Network, you must also type a network mask in the Maskfield.
  7. For the Source IP Address setting, in the Address field, type an IP address. The IP address you specify should be the host or network address from which the traffic originates.
  8. From the Source Port list, select a source port, or retain the default value *All Ports.
  9. For the Destination IP Address setting, click a type of address. You can click Any, Host, or Network. If you click Network, you must also type a network mask in the Maskfield.
  10. For the Destination IP Address setting, in the Address field, type an IP address. The IP address you specify should be the host or network address to which the traffic is destined.
  11. From the Destination Port list, select a source port, or retain the default value * All Ports.
  12. From the Protocol list, select a protocol name. You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type a protocol name.
  13. From the Direction list, select a traffic direction to which the traffic selector applies. You can select In, Both, or Out.
  14. From the Action list, select Protect. The IPsec Policy Name setting appears.
  15. From the IPsec Policy Name list, retain the default IPsec policy name, default_ipsec_policy.
  16. Click Finished. The screen refreshes and displays the new IPsec traffic selector in the list.
You now have an IPsec traffic selector configured for Transport mode that uses the default IPsec policy.

Implementation results

To summarize, you now have this IPsec configuration on this BIG-IP system, for both inbound and outbound traffic:

  • Transport mode for securing traffic, using the ESP protocol
  • The authentication algorithm SHA-1
  • The encryption algorithm 3DES
  • The default IPsec policy, named default-ipsec-policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)