Activate F5 product registration key
Verify the proper operation of your BIG-IP system
Get up to speed with free self-paced courses
Join the community of 300,000+ technical peers
Advance your career with F5 Certification
Product Manuals and Release notes
When you are using IPsec to secure optimized WAN traffic, you can set up an IPsec tunnel with NAT traversal (NAT-T) to get around a firewall or other NAT device. This implementation describes how to set up the IPsec tunnel when you have a NAT device on both sides of the tunnel.
The following illustration shows a network configuration with a firewall on both sides of the WAN.
Example of an iSession and IPsec deployment with NAT-T on both sides of the WAN
Before you configure IPsec on a BIG-IP® device, make sure that you have completed the following general prerequisites.
When you are configuring an IPsec tunnel, you must repeat the configuration tasks on the BIG-IP systems on both sides of the WAN.
You can create an IPsec tunnel to securely transport application traffic across the WAN. You must configure the IPsec tunnel on the BIG-IP systems on both sides of the WAN.
When you create an IKE peer for NAT traversal (NAT-T), the key configuration detail is that the Remote Address setting is the public IP address of the firewall or other NAT device (not the IP address of the remote BIG-IP system). Also, you must turn on NAT traversal. You can customize the remaining settings to conform to your network.
Location | Remote (Peer) Address |
---|---|
Site A | 165.160.15.20 |
Site B | 203.0.113.2 |
Location | Tunnel Local Address |
---|---|
Site A | 10.100.20.3 |
Site B | 10.102.20.5 |
Location | Tunnel Remote Address |
---|---|
Site A | 165.160.15.20 |
Site B | 203.0.113.2 |
Location | Source IP Address |
---|---|
Site A | 10.100.20.50 |
Site B | 10.102.20.10 |
Location | Destination IP Address |
---|---|
Site A | 10.102.20.10 |
Site B | 10.100.20.50 |
After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Destination Cookies ST S V E Created Phase2 165.160.15.20.500 98993e6 . . . 22c87f1 9 I 10 M 2012-06-27 16:51:19 1
This table shows the legend for interpreting the result.
Column | Displayed | Description |
---|---|---|
ST (Tunnel Status) | 1 | Start Phase 1 negotiation |
2 | msg 1 received | |
3 | msg 1 sent | |
4 | msg 2 received | |
5 | msg 2 sent | |
6 | msg 3 received | |
7 | msg 3 sent | |
8 | msg 4 received | |
9 | isakmp tunnel established | |
10 | isakmp tunnel expired | |
S | I | Initiator |
R | Responder | |
V (Version Number) | 10 | ISAKMP version 1.0 |
E (Exchange Mode) | M | Main (Identity Protection) |
A | Aggressive | |
Phase2 | <n> | Number of Phase 2 tunnels negotiated with this IKE peer |
Source Destination Status Side 10.100.20.3 165.160.15.20 sa established [R]
This table shows the legend for interpreting the result.
Column | Displayed |
---|---|
Side | I (Initiator) |
R (Responder) | |
Status | init |
start | |
acquire | |
getspi sent | |
getspi done | |
1st msg sent | |
1st msg recvd | |
commit bit | |
sa added | |
sa established | |
sa expired |
IPsec::SecurityAssociations 10.100.20.3 -> 165.160.15.20 SPI(0x7b438626) in esp (tmm: 6) 165.160.15.20 -> 10.100.20.3 SPI(0x5e52a1db) out esp (tmm: 5)
IPsec::SecurityAssociations 165.160.15.20 -> 10.100.20.3 ----------------------------------------------------------------------------- tmm: 2 Direction: out; SPI: 0x6be3ff01(1810104065); ReqID: 0x9b0a(39690) Protocol: esp; Mode: tunnel; State: mature Authenticated Encryption : aes-gmac128 Current Usage: 307488 bytes Hard lifetime: 94 seconds; unlimited bytes Soft lifetime: 34 seconds; unlimited bytes Replay window size: 64 Last use: 12/13/2012:10:42 Create: 12/13/2012:10:39
You can also filter by other parameters, such as SPI (spi), source address (src_addr), or destination address (dst_addr)
IPsec::SecurityAssociations 10.100.115.12 -> 10.100.15.132 SPI(0x2211c0a9) in esp (tmm: 0) 10.100.15.132 -> 10.100.115.12 SPI(0x932e0c44) out esp (tmm: 2)
------------------------------------------------------------------- Net::Ipsec Cmd Id Mode Packets In Bytes In Packets Out Bytes Out ------------------------------------------------------------------- 0 TRANSPORT 0 0 0 0 0 TRANSPORT 0 0 0 0 0 TUNNEL 0 0 0 0 0 TUNNEL 0 0 0 0 1 TUNNEL 353.9K 252.4M 24.9K 1.8M 2 TUNNEL 117.9K 41.0M 163.3K 12.4M
tmsh delete net ipsec ipsec-sa (IKEv1)
tmsh delete net ipsec ike-sa (IKEv2)
2012-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2012-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2012-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
% tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} % tmsh list sys log-config publisher ipsec sys log-config publisher ipsec { destinations { local-syslog { } } }
Option | Description |
---|---|
LAN VLANs | Select the VLANs that receive incoming LAN traffic destined for the WAN. |
WAN VLANs | Select the VLANs that receive traffic from the WAN through an iSession™ connection. |
The following screen capture is an example of how the Quick Start screen might look.
Example of Quick Start screen settings for NAT-T