Manual Chapter : Configure the BIG-IQ to manage an IPsec tunnel

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Manual Chapter

How do I start managing an IPsec tunnel?

You can use BIG-IQ® Centralized Management to manage an IPsec tunnel. To set up IPsec tunnel management, you need to:

  • Configure a data collection device.
  • Configure the BIG-IQ system to manage the IPsec tunnel.
    • Create a forwarding virtual server for IPsec.
    • Create an IKE peer.
    • Create a custom IPsec policy.
    • Create a bidirectional IPsec traffic selector.
    • Configure the IKE daemon.
    • Verify IPsec connectivity.

After you complete these initial configuration tasks, you can manage the settings that control your IPsec tunnel traffic. You can also use the BIG-IQ statistics to troubleshoot the tunnel health.

Create a forwarding virtual server for IPsec

For IPsec, you create a forwarding (IP) type of virtual server to intercept IP traffic and direct it over the tunnel. With a forwarding (IP) virtual server, destination address translation and port translation are disabled.
  1. At the top of the screen, click Configuration.
  2. Under LOCAL TRAFFIC, select Virtual Servers.
  3. Click Create.
    The New Virtual Server screen opens.
  4. For Name, type in a name for the virtual server you are creating.
  5. From Device, select the device on which to create the virtual server.
  6. For Partition, type the name of the BIG-IP® device partition on which you want to create the virtual server.
  7. For Description, type in a brief description for the virtual server you are creating.
  8. For Destination Address, type a wildcard network address in CIDR format, such as 0.0.0.0/0 for IPv4 or ::/0 for IPv6, to accept any traffic.
  9. From Service Port, select *All Ports.
  10. From Protocol, select *All Protocols.
  11. For VLANs and Tunnel Traffic, retain the default selection, All VLANs and Tunnels.
  12. Leave all other fields at their default settings.
  13. Click Save & Close.
    The system creates the new virtual server with the settings you specified.

Create an IKE peer

The IKE peer object identifies to the system you are configuring the other device that it communicates with during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to use for Phase 1 negotiation.

Important: You must configure the devices at both ends of the IPsec tunnel.
  1. At the top of the screen, click Configuration.
  2. On the left, expand NETWORK > IPsec and then click IKE Peers.
  3. Click Create.
    The New IKE Peer screen opens.
  4. For Name, type a unique name for the IKE peer.
  5. For Description, type a brief description of the IKE peer.
  6. From Device, select the hostname of the device for which you are creating the new peer.
  7. For the remainder of the fields on this screen, configure the values as you would if you were configuring an IKE peer on a BIG-IP® device.
    Note: For details on configuring an IKE peer, refer to the BIG-IP TMOS: Tunneling and IPsec documentation on support.f5.com
  8. Click Save & Close.
    The system creates the new IKE peer with the settings you specified.

Create a custom IPsec policy

You can create a custom IPsec policy so that you can use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode. Another reason is to add payload compression before encryption.
  1. At the top of the screen, click Configuration.
  2. On the left, expand NETWORK > IPsec and then click IPsec Policies.
  3. Click Create.
    The New IPsec Policy screen opens.
  4. For Name, type a unique name for the policy.
  5. For Description, type a brief description of the policy.
  6. For the remainder of the fields on this screen, configure the values as you would if you were configuring an IKE peer on a BIG-IP® device.
    Note: For details on configuring a IPsec security policy, refer to the BIG-IP TMOS: Tunneling and IPsec documentation on support.f5.com.
  7. Click Save & Close.
    The system creates the new security policy with the settings you specified.

Create a bidirectional IPsec traffic selector

A traffic selector filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
Important: You must configure the devices at both ends of the IPsec tunnel.
  1. At the top of the screen, click Configuration.
  2. On the left, expand NETWORK > IPsec and then click Traffic Selectors.
  3. Click Create.
    The New Traffic Selector screen opens.
  4. For Name, type a unique name for the traffic selector.
  5. For Description, type a brief description of the traffic selector.
  6. From Device, select the hostname of the device for which you are creating the new traffic selector.
  7. For the remainder of the fields on this screen, configure the values as you would if you were configuring a traffic selector on a BIG-IP® device.
    Note: For details on configuring a traffic selector, refer to the BIG-IP TMOS: Tunneling and IPsec documentation on support.f5.com.
  8. Click Save & Close.
    The system creates the new traffic selector with the settings you specified.

Configure the IKE daemon

To complete the configuration sequence for managing an IPsec tunnel on the BIG-IQ®, you need to configure the IKE daemon
  1. At the top of the screen, click Configuration.
  2. On the left, expand NETWORK > IPsec and then click IKE Daemon.
  3. In the Name column, select the ikedaemon link that corresponds to the host name of the BIG-IP® device from which you imported the IPsec tunnel configuration.
    The IKE daemon properties screen for that BIG-IP device opens.
  4. For External Log Publisher, select default-ipsec-log-publisher.
  5. Click the Save & Close button at the bottom of the screen.

Verify IPsec connectivity

After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.

Note: Only data traffic matching the traffic selector triggers the establishment of the tunnel.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > IPsec and click Events.
    The IPsec Event Logs screen opens.
  3. Examine the screen, looking for event logs that relate to successful IPsec tunnel creation, to confirm IPsec connectivity.