Forum Discussion

n3tw0rkn3rd_383's avatar
n3tw0rkn3rd_383
Icon for Nimbostratus rankNimbostratus
Feb 15, 2019

IPSec VPN - Must the tunnel local address be the self/floating IP address?

Hello everyone,

 

Regrading IPSec VPN (tunnel mode) setup, I have no idea whether the tunnel local address can be different than the self/floating IP address (another IP address in the same range with self/floating IP address) or not, but I noticed this when I was working on a F5 BIG-IP system.

 

For example, the self and floating IP addresses are a.b.c.200/25 and a.b.c.202/25, respectively, but the tunnel local address is a.b.c.199/25.

 

However, when I checked the system configuration, I could not find the IP a.b.c.199/25 assigned or associated to any interfaces/VLANs, but only ltm nat-translation, snatpool (for IPSec local encryption domain - private network) and a few rules for ESP/IKE packets. Additionally, I could ping this IP address from the BIG-IP system.

 

  • Answering this comically late. The tunnel local address MUST be a self IP.

     

    You can configure a non-existent self IP as the tunnel local IP in the IPsec configuration but the tunnel won't work properly until you configure a matching self IP.

     

    Floating self IPs are preferred because with mirroring it also provided HA failover of the tunnels. For HA failover of IPsec tunnels, a floating self IP must be used and the tunnel must be IKEv2.