Forum Discussion

Bill_Chipman_10's avatar
Bill_Chipman_10
Icon for Nimbostratus rankNimbostratus
Feb 07, 2015

Does anyone have 11.6 LTM doing IPsec with 3rd party device

We are trying to create ipSec tunnel with 3 traffic selectors on one IKE peer. The tunnel will come up, however we aren't able to get any traffic flowing over the link. Traceroute shows that the connection is trying to go over the default route, rather than into the tunnel. F5 shows that the tunnel is active and receiving packets - just not sending any. We are using a secondary floating self-ip on the external network. 10.0.0.0/8 route to internal network. Remote network is 10.0.5.0/24.

 

  • my experience with big ip for ipsec, it doesn't work properly i tried a lot with link controller to terminate and to by pass ipsec traffic nothing works, many technical cases with no progress

     

  • Haitao_Huang_17's avatar
    Haitao_Huang_17
    Historic F5 Account

    I haven't tried with other vendor yet, but if you plan to pass routing protocol through IPSec Tunnel, IPSec interface mode is needed.

     

    Traffic selector will be between IPSec interface (self IP). Other interesting traffic will flow through routing protocols instead of traffic selector.

     

    I got this working with IPSec interface, BGP, and two BIG-IP without issue.

     

  • It's an aged protocol, the wrong way of building networks. IPSec is being phased out with many clients I work with. One has a policy to not allow any IPSec implementations if both peers are not from the same vendor, on the same hardware, AND on the same software version. I think it's a great guideline to follow. Considering that 2-3 notable IPSec tunnel disruptions per week are common in x-vendor implementations, it's questionable if this protocol even has any practical use in today's production systems.

     

    • Consider a central-services site (or lease cloud), and access your important business services via HTTPS, over the internet (public IP). Consider a MPLS private leased line if you have $ to spend. Anything you save in implementation costs by going for IPSec you lose due to service disruptions and break-fix maintenance costs (recurring tunnel resets, outage investigations etc.)