You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP system to another. With this implementation, you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configure the IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy.
The way to dynamically negotiate security parameters is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two agents, or peers, open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.
Once Phase 1 is complete and the secure channel has been established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.
Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.
The IPsec protocol suite on the BIG-IP system consists of these configuration components:
With this task, you can configure the IPsec and IKE protocols to secure traffic that traverses a wide area network (WAN), such as from one data center to another. This procedure configures IKE to establish a secure channel and configures IPsec in Tunnel mode.
To set up this configuration, you must verify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.
Before you begin configuring IPsec and IKE, verify that these modules and BIG-IP system objects exist on the BIG-IP system in each data center:
Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies the other BIG-IP system that the system you are configuring communicates with during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems.
|The default values||The default authentication method is RSA signature.
Important: If you have your own certificate file, key file, and certificate authority (CA), it is recommended for security purposes that you specify these files, using the Certificate, Key, and Trusted Certificate Authorities settings.
|The authentication method Preshared Key.||This allows you to type a preshared key for use as the authentication method.|
Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
|System Name||Tunnel Local Address|
|System Name||Tunnel Remote Address|
|System Name||Source IP Address|
|System Name||Destination IP Address|
To summarize, you now have the following IPsec configuration on this BIG-IP system, for both inbound and outbound traffic.