Forum Discussion

a_basharat_2591's avatar
a_basharat_2591
Icon for Nimbostratus rankNimbostratus
Jul 16, 2018

IPSec on F5-Cisco

Hi, this F5 article describes how to configure the F5 side of it on an IPSec tunnel between an F5 and a third party [Cisco ASA device]: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/19.html

 

It says that the Virtual Server will have 0.0.0.0 IP address, and listening on All ports. My question is: If I configure that on the external VLAN of my F5 where I have more VSs on that VLAN, Will not that "All-the-IPs" [0.0.0.0] gobble up any traffic coming in to the F5 from the front end? What about replies to ARP? will it not mess up any ARP request, replying with ARP saying the F5 is what other server means to be?

 

  • zeiss_63263's avatar
    zeiss_63263
    Historic F5 Account

    I don't recommend using a wildcard virtual server to handle IPsec traffic because of the security implications.

     

    It's better to create a Virtual Server that handles the specific private subnets. You might have to create a Virtual Server for each direction, otherwise traffic cannot be established in both directions unless your local and remote private networks were both in 10.0.0.0/8 for example, then in that case one VS can cover traffic being established in both directions.

     

    In the two Virtual Server scenario, one needs to listen on the internal side VLAN and the other needs to listen on the public side VLAN. In the one Virtual Server scenario, for bi-directional connection establishment, it needs to listen on both the internal and external side VLANs.

     

    Remember that the Virtual Server does not actually handle the IPsec (ISAKMP and ESP) it handles the private network traffic.

     

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      I think you understand correctly. IN literally means packets coming into the BIG-IP over the tunnel. In IP routing this should only be packets with a source IP of the ASA side and a destination IP of the BIG-IP side.

       

    • a_basharat's avatar
      a_basharat
      Icon for Nimbostratus rankNimbostratus

      Ok, still a bit iffy for me. Let me ask you with other words:

       

      • A packet from the Network hanging off the F5 to the Network hanging off the remote ASA is OUT?
      • A packet from the Network hanging off the remote Cisco to the Network hanging off the F5 is IN?

      Let me know please

       

    • zeiss_63263's avatar
      zeiss_63263
      Historic F5 Account

      In means packets arriving to (inbound) the BIG-IP. Out means packets leaving (outbound) the BIG-IP. You would also not need to write Virtual Servers to cover both directions, only the direction for which the connection is being established.