Applies To:

Show Versions Show Versions

Manual Chapter: Encrypting Application Traffic with iSession
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Encrypting application traffic with iSession

You can use either SSL or IPsec to encrypt application data traffic through a secured iSession connection, depending on how you configure WAN optimization. When you use the Quick Start screen, the BIG-IP WOM system automatically creates a virtual server for outbound traffic for every application you select, and associates an iSession profile with it.

  • If you are using IPsec, you specify IPsec encapsulation of the data traffic. After the trust relationship is established between the iSession endpoints, the data traffic is encapsulated, regardless of the application.
  • If you are using SSL, you specify data encryption on a per-application basis. When you select data encryption for an application, the system associates an iSession profile that has data encryption enabled. If you manually create an optimized application virtual server for outbound iSession traffic, ensure that you associate an iSession profile with encryption enabled.
Note: Selecting IPsec encapsulation supersedes any per-application SSL data encryption settings.

Task summary for encrypting application traffic using IPsec

Before you begin encrypting application traffic, you must secure the iSession endpoints using SSL.

After the iSession connection is secure, the easiest and quickest method of configuring application data encryption using IPsec is on the Quick Start screen.

Note: For this implementation, creating a custom policy is an optional task.

Task list

Encrypting application traffic using IPsec on the Quick Start screen

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP system that has been provisioned for WOM.
You complete this task to encrypt application traffic over an iSession connection using IPsec.
  1. On the Main tab, click WAN Optimization > Quick Start.
  2. In the IP Encapsulation area, select IPsec from the IP Encapsulation Type list.
    The screen refreshes and displays the IPSEC Policy field.
  3. From the IPSEC Policy list select an IPsec policy. You can use the pre-defined default policy default-ipsec-policy-isession, or create a custom policy, which the system adds to the list.
  4. Click Apply.

Creating a custom IPsec policy for iSession traffic

You can create a custom IPsec policy for iSession traffic if you want settings that are different from the default values. For example, you might want to specify a different authentication algorithm or Diffie-Hellman group for IKE phase 2 negotiations.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. From the Mode list, select iSession Using Tunnel.
  5. From the Authentication Algorithm list, select an algorithm. These are the possible values:
    • SHA-1
    • AES-GMC128
    • AES-GMC192
    • AES-GMC256
    • AES-GMAC128
    • AES-GMAC192
    • AES-GMAC256
  6. From the Perfect Forward Secrecy list, select a Diffie-Hellman group. These are the possible values:
    • MODP768
    • MODP1024
    • MODP1536
    • MODP2048
    • MODP3072
    • MODP4096
    • MODP6144
    • MODP8192
  7. Click Finished. The screen refreshes and displays the new IPsec policy in the list.
For a custom IPsec policy to take effect, you must apply it to the iSession endpoints. You can select it on the WOM Quick Start screen or the Local Endpoint screen. The selected policy must be the same on both endpoints of an iSession connection.

Encrypting application traffic using SSL on the Quick Start screen

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP system that has been provisioned for WOM.
Before you begin encrypting application traffic, you must secure the iSession endpoints using SSL.
  1. On the Main tab, click WAN Optimization > Quick Start.
  2. In the Create Optimized Applications area, for each application you want to encrypt, select the adjacent check box and from the Data Encryption list, select Enabled.
  3. Click Apply.
After the iSession connection is secure, the easiest and quickest method of configuring application data encryption using SSL is on the Quick Start screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)