Applies To:

Show Versions Show Versions

Manual Chapter: Configuring IPsec Using Manually Keyed Security Associations
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring IPsec using manual security associations

You can configure an IPsec tunnel when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP system to another. Typically, you would use the Internet Key Exchange (IKE) protocol to negotiate the secure channel between the two systems. If you choose not to use IKE, you must create manual security associations for IPsec security. A manual security association statically defines the specific attribute values that IPsec should use for the authentication and encryption of data flowing through the tunnel.

IPsec deployment illustration Illustration of an IPsec deployment

The implementation of the IPsec protocol suite with a manual security association consists of these components:

IPsec policy
An IPsec policy is a set of information that defines the specific IPsec protocol to use (ESP or AH), and the mode (Transport, Tunnel, or iSession). For Tunnel mode, the policy also specifies the endpoints for the tunnel. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets. The BIG-IP system includes two default IPsec policies, named default-ipsec-policy and default-ipsec-policy-isession. A common configuration includes a bidirectional policy on each BIG-IP system.
Manual security association
A manual security association is set of information that the IPsec protocol uses to authenticate and encrypt application traffic.
Note: When you create a manual security association instead of using IKE, the peer systems do not negotiate these attributes. Peers can communicate only when they share the same configured attributes.
Traffic selector
A traffic selector is a packet filter that defines what traffic should be handled by a IPsec policy. You define the traffic by source and destination IP addresses and port numbers. A common configuration includes a bidirectional traffic selector on each BIG-IP system.

About IPsec Tunnel mode

Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.

Task summary

You can configure an IPsec tunnel to secure traffic that traverses a wide area network (WAN), such as from one data center to another.

Before you begin configuring IPsec, verify that these modules, system objects, and connectivity exist on the BIG-IP systems in both the local and remote locations:

BIG-IP Local Traffic Manager
This module directs traffic securely and efficiently to the appropriate destination on a network.
Self IP address
Each BIG-IP system must have at least one self IP address, to be used in specifying the ends of the IPsec tunnel.
The default VLANs
These VLANs are named external and internal.
BIG-IP connectivity
Verify the connectivity between the client or server and its BIG-IP device, and between each BIG-IP device and its gateway. For example, you can use ping to test this connectivity.

Task list

Creating a forwarding virtual server for IPsec

For IPsec, you create a forwarding virtual server to intercept IP traffic and direct it over the tunnel.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Forwarding (IP).
  5. For the Destination setting:
    1. For Type, select Network.
    2. In the Address field, type the IP address 0.0.0.0.
    3. In the Mask field, type the netmask 0.0.0.0.
  6. From the Service Port list, select *All Ports.
  7. From the Protocol list, select *All Protocols.
  8. From the VLAN and Tunnel Traffic list, retain the default selection, All VLANs and Tunnels.
  9. Click Finished.

Creating a manual IPsec security association

Before starting this task, determine the source and destination IP addresses for the BIG-IP systems in your network that will direct the application traffic.
You create a manual security association to specify the security attributes for a given IPsec communication session. These attributes include the specific source and destination IP addresses of the communicating devices, the authentication algorithm, and the encryption algorithm that the IPsec protocol should use.
Important: You must perform this task on both BIG-IP systems.
  1. On the Main tab, click Network > IPsec > Manual Security Associations.
  2. Click the Create button. The New Security Association screen opens.
  3. In the Name field, type a unique name for the security association.
  4. In the Description field, type a brief description of the security setting.
  5. In the SPI field, type a unique number for the security parameter index. This number must be an integer between 256 and 4294967296.
  6. In the Source Address field, type the source IP address.
  7. In the Destination Address field, type the destination IP address.
  8. In the Authentication Key field, type a key value. This value can by any double-quoted character string up to a maximum of 128 characters
  9. From the Encryption Algorithm list, select the algorithm appropriate to your deployment.
  10. In the Encryption Key field, type a key value. This value can by any double-quoted character string up to a maximum of 128 characters
  11. Click Finished. The screen refreshes and displays the new IPsec security association in the list.
  12. Repeat this task on the BIG-IP system in the remote location.

Creating a custom IPsec policy

You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.

Important: You must perform this task on both BIG-IP systems.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. In the Description field, type a brief description of the policy.
  5. For the IPsec Protocol setting, retain the default selection, ESP.
  6. From the Mode list, select Tunnel. The screen refreshes to show additional related settings.
  7. In the Tunnel Local Address field, type the local IP address of the system you are configuring. This table shows sample tunnel local addresses for BIG-IP A and BIG-IP B.
    System Name Tunnel Local Address
    BIG-IP A 2.2.2.2
    BIG-IP B 3.3.3.3
  8. In the Tunnel Remote Address field, type the IP address that is remote to the system you are configuring. This address must match the Remote Address setting for the relevant IKE peer. This table shows sample tunnel remote addresses for BIG-IP A and BIG-IP B.
    System Name Tunnel Remote Address
    BIG-IP A 3.3.3.3
    BIG-IP B 2.2.2.2
  9. For the Authentication Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
  10. For the Encryption Algorithm setting, retain the default value, or select the algorithm appropriate for your deployment.
  11. For the Perfect Forward Secrecy setting, retain the default value, or select the option appropriate for your deployment.
  12. For the Lifetime setting, retain the default value, 1440. This is the length of time (in minutes) before the current security association expires.
  13. Click Finished. The screen refreshes and displays the new IPsec policy in the list.
  14. Repeat this task on the BIG-IP system in the remote location.

Creating a bidirectional IPsec traffic selector

The traffic selector you create filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
Important: You must perform this task on both BIG-IP systems.
  1. On the Main tab, click Network > IPsec > Traffic Selectors.
  2. Click Create. The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. In the Description field, type a brief description of the traffic selector.
  5. For the Order setting, retain the default value (First). This setting specifies the order in which the traffic selector appears on the Traffic Selector List screen.
  6. From the Configuration list, select Advanced.
  7. For the Source IP Address setting, click Host or Network, and in the Address field, type an IP address. This IP address should be the host or network address from which the application traffic originates. This table shows sample source IP addresses for BIG-IP A and BIG-IP B.
    System Name Source IP Address
    BIG-IP A 1.1.1.0/24
    BIG-IP B 4.4.4.0/24
  8. From the Source Port list, select the source port for which you want to filter traffic, or retain the default value *All Ports.
  9. For the Destination IP Address setting, click Host, and in the Address field, type an IP address. This IP address should be the final host or network address to which the application traffic is destined. This table shows sample destination IP addresses for BIG-IP A and BIG-IP B.
    System Name Destination IP Address
    BIG-IP A 4.4.4.0/24
    BIG-IP B 1.1.1.0/24
  10. From the Destination Port list, select the destination port for which you want to filter traffic, or retain the default value * All Ports.
  11. From the Protocol list, select the protocol for which you want to filter traffic. You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type a protocol name.
  12. From the Direction list, select Both.
  13. From the Action list, select Protect. The IPsec Policy Name setting appears.
  14. From the IPsec Policy Name list, select the name of the custom IPsec policy that you created.
  15. Click Finished. The screen refreshes and displays the new IPsec traffic selector in the list.
  16. Repeat this task on the BIG-IP system in the remote location.

Verifying IPsec connectivity for Tunnel mode

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.

NoteColonSymbol Only data traffic matching the traffic selector triggers the establishment of the tunnel.
.
  1. Access the tmsh command-line utility.
  2. Before sending traffic, type this command at the prompt. tmsh modify ipsec ike-daemon log-level info This command increases the logging level to display the INFO messages that you want to view.
  3. Send data traffic to the destination IP address specified in the traffic selector.
  4. Check the IKE Phase 1 negotiation status by typing this command at the prompt. racoonctl -l show-sa isakmp This example shows a result of the command. Destination is the tunnel remote IP address. Destination Cookies ST S V E Created Phase2 165.160.15.20.500 98993e6 . . . 22c87f1 9 I 10 M 2012-06-27 16:51:19 1

    This table shows the legend for interpreting the result.

    Column Displayed Description
    ST (Tunnel Status) 1 Start Phase 1 negotiation
    2 msg 1 received
    3 msg 1 sent
    4 msg 2 received
    5 msg 2 sent
    6 msg 3 received
    7 msg 3 sent
    8 msg 4 received
    9 isakmp tunnel established
    10 isakmp tunnel expired
    S I Initiator
    R Responder
    V (Version Number) 10 ISAKMP version 1.0
    E (Exchange Mode) M Main (Identity Protection)
    A Aggressive
    Phase2 <n> Number of Phase 2 tunnels negotiated with this IKE peer
  5. Check the IKE Phase 2 negotiation status by typing this command at the prompt. racoonctl -l1 show-sa internal This example shows a result of this command. Source is the tunnel local IP address. Destination is the tunnel remote IP address. Source Destination Status Side 10.100.20.3 165.160.15.20 sa established [R]

    This table shows the legend for interpreting the result.

    Column Displayed
    Side I (Initiator)
    R (Responder)
    Status init
    start
    acquire
    getspi sent
    getspi done
    1st msg sent
    1st msg recvd
    commit bit
    sa added
    sa established
    sa expired
  6. To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt. racoonctl -l show-sa ipsec For each tunnel, the output displays IP addresses and information for two IPsec SAs, one for each direction, as shown in the example. 10.100.20.3 165.160.15.20 esp mode=tunnel spi=2068022822(0x7b438626) reqid=26781(0x0000689d) E: null A: hmac-sha1 9669c37c 4c83c096 beeddbde ef74d61a 2acf37ef seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Dec 31 16:18:01 1969 current: Jun 29 16:40:16 2012 diff: 1341012135(s) hard: 864000(s) soft: 864000(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=21100 refcnt=512 165.160.15.20 10.100.20.3 esp mode=tunnel spi=1582473691(0x5e52a1db) reqid=26780(0x0000689c) E: null A: hmac-sha1 8a1b7f19 3085a5ca d0190805 18125e19 e6bda3d1 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Dec 31 16:18:01 1969 current: Jun 29 16:40:16 2012 diff: 1341012135(s) hard: 864000(s) soft: 864000(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=21100 refcnt=512
  7. Check the IPsec stats by typing this command at the prompt. tmsh show net ipsec-stat If traffic is passing through the IPsec tunnel, the stats will increment. ------------------------------------------------------------------- Net::Ipsec Cmd Id Mode Packets In Bytes In Packets Out Bytes Out ------------------------------------------------------------------- 0 TRANSPORT 0 0 0 0 0 TRANSPORT 0 0 0 0 0 TUNNEL 0 0 0 0 0 TUNNEL 0 0 0 0 1 TUNNEL 353.9K 252.4M 24.9K 1.8M 2 TUNNEL 117.9K 41.0M 163.3K 12.4M
  8. If the SAs are established, but traffic is not passing, type these commands at the prompt. racoonctl flush-sa isakmp racoonctl flush-sa ipsec This action forces the system to flush the existing SAs. Sending new traffic triggers SA negotiation and establishment.
  9. View the /var/log/racoon.log to verify that the IPsec tunnel is up. These lines are examples of the messages you are looking for. 2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
  10. For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt. tmsh modify net ipsec ike-daemon ikedaemon log-level debug2
    ImportantColonSymbol Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.
    NoteColonSymbol Using this command flushes existing SAs.
  11. After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt. tmsh modify ipsec ike-daemon ikedaemon log-level info
    NoteColonSymbol Using this command flushes existing SAs.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)