Last updated on: June 16 2024.

IPsec-Policy

This page explains IPsec policy (ipsec-policy) options and lists common mistakes.

Configuration Elements

To view the ipsec-policy config in tmsh, use the tmsh list net ipsec ipsec-policy command.

Screenshot from the BIG-IP web UI.

The following table lists each setting as seen in the web UI, with the tmsh parameter’s name.

Web UI tmsh Neg* Explanation
Name
No The name of the ipsec policy.
Partition/Path
No Partition that the policy is created in.
Description description No User defined description.
IPsec Protocol protocol Yes Is one of either Encapsulating Security Payload (ESP) or Authentication Header (AH). AH is rarely used and offers no encryption.
Mode mode No Tunnel, Transport or Interface. Transport is rarely used.
Tunnel Local Address tunnel-local-address Yes Only an option in Tunnel mode. Specifies the IP address of the local IPsec tunnel endpoint.
Tunnel Remote Address tunnel-remote-address Yes Only an option in Tunnel mode. Specifies the IP address of the remote IPsec tunnel endpoint.
Authentication Algorithm ike-phase2-auth-algorithm Yes Specifies an payload authentication algorithm for ESP.
Encryption Algorithm ike-phase2-encrypt-algorithm Yes Specifies an encryption algorithm for ESP. Does not apply for AH protocol.
Perfect Forward Secrecy (PFS) ike-phase2-perfect-forward-secrecy Yes Diffie-Hellman group. PFS does apply in AH protocol for the Authentication Algorithm. For IKEv2, the value configured for PFS on the ike-peer overrides the value configured here.
IPComp ipcomp Yes Specifies the compression algorithm for IP compression. This is rarely used and not recommended.
Lifetime ike-phase2-lifetime Yes Specifies the lifetime duration in minutes, for dynamically negotiated security associations.
KBLifetime ike-phase2-lifetime-kilobytes No Specifies the lifetime duration in kilobytes. A value of '0' means the SA will not re-key based on the number of bytes.

*Neg = Negotiated.

  • “Yes” means that SA negotiation can fail if the peers disagree.

  • “No” means not part of SA negotiation or does not cause a negotiation failure.

Common Configuration Problems

Remote endpoints could have different views on the mode of the tunnel, however the mode itself is not negotiated. In other words, the BIG-IP may be configured for Tunnel mode and the remote endpoint may be configured with Interface mode (known as “route-based” by some vendors). The tunnel will negotiate but connectivity may be problematic.

Mismatched encryption and authentication algorithms are a common problem. The BIG-IP allows the user to configure different algorithms on the ike-peer and the ipsec-policy. Some vendors expect them to be the same.

When IKEv2 is used the PFS setting is inherited from the ike-peer config. While it is possible to configure PFS in the ipsec-policy, the ike-peer value will be used.

The Tunnel Local Address must exist as a local self IP on the BIG-IP. The self IP can be local-only or floating. The tunnel may even successfully negotiate when the specified local self IP does not exist, but the tunnel will not pass traffic because inbound ESP packets will be dropped.

Top | Flowchart | Contents