You can configure an IPsec tunnel when you want to secure traffic that traverses a wide area network (WAN), from one BIG-IP ®system to another. By following this procedure, you can create an IPsec tunnel interface that can be used as any other BIG-IP VLAN. When you configure an IPsec tunnel interface, the IKE tunnel mode security associations occur automatically as part of the tunnel negotiation. For the IPsec tunnel interface, only the IPsec Encapsulating Security Protocol (ESP) is supported for the tunnel interface, and IPComp is not available.
Example of an IPsec deployment
Before you begin configuring IPsec, verify that these modules, system objects, and connectivity exist on the BIG-IP® systems in both the local and remote locations:
You can create a custom IPsec policy to specify the Interface mode, which allows you to use the IPsec tunnel as a network interface object.
|System Name||Tunnel Local Address|
|System Name||Tunnel Remote Address|
|System Name||Source IP Address|
|System Name||Destination IP Address|
For example, you can type ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff::.