Last updated on: June 16 2024.

Traffic Selector

This page explains traffic selector (traffic-selector) options and lists common mistakes.

The traffic-selector is a definition of the traffic that will go in and out of the IPsec tunnel. A traffic selector is attached to an ipsec-policy. When traffic matching the selector is seen and no tunnel exists, the BIG-IP will attempt to establish an IPsec tunnel based on the attached ipsec-policy.

Each selector represents one bi-directional tunnel (two IPsec SAs).

A traffic selector defines the hosts or networks and in rare cases the ports that may traverse an IPsec tunnel. This page describes how to view the state of traffic selectors.

A traffic selector is a listener that catches interesting traffic and triggers a tunnel to start if it is down. If the tunnel is up, that packet can pass into IPsec.

Traffic selectors may be referred to as “TS” or just “selector” in the IPsec troubleshooting guide.

Refer also to View Traffic Selector.

Configuration Elements

To view the configuration in tmsh, use the tmsh list net ipsec traffic-selector command.

Screenshot from the BIG-IP web UI.

The following table lists each setting as seen in the web UI, with the tmsh parameter’s name.

Element tmsh Neg* Explanation
Name
No Name of traffic-selector
Partition / Path
No Partition that the traffic-selector is created in.
Description description No User defined description.
Order order No The order in which traffic is matched, if traffic can be matched to multiple traffic selectors. Today this option means nothing because the only Action (below) that is supported is "Protect".
Source IP Address or CIDR source-address Yes Source IP address of the traffic to be matched and traverse the tunnel. This is a network/host 'local' to the BIG-IP.
Source Port source-port Yes Normally "All Ports". This is rarely specified and not recommended.
Destination IP Address or CIDR destination-address Yes Destination IP address of the traffic to be matched and traverse the tunnel. This is a network/host remote to the BIG-IP.
Destination Port destination-port Yes Normally "All Ports". This is rarely specified and not recommended.
Protocol ip-protocol Yes Select an IP protocol by name or by protocol number. Using anything other than "All Protocols" may lead to problems.
Direction direction No Only "Both" is used here. It is a legacy setting for manual tunnels and should not be used.
Action action No Only "Protect" is supported.
IPsec Policy Name
ipsec-policy
No The traffic-selector must be applied to an existing ipsec-policy, even if the ipsec-policy has no related ike-peer created yet.

*Neg = Negotiated.

  • “Yes” means that SA negotiation can fail if the peers disagree.

  • “No” means not part of SA negotiation or does not cause a negotiation failure.

Common Configuration Problems

Check that the destination and source addresses are correctly oriented to the BIG-IP. Source means the source of traffic originated from the BIG-IP. The remote peer needs the same selector configured, but the source and destination are accordingly switched.

There is only one traffic selector defined per tunnel. A common mistake is to create two traffic selectors with the networks switched.

Ensure the Protocol, Action and Direction settings are at the defaults.

Traffic arriving at the BIG-IP via a tunnel will be dropped if it does not match the traffic selector networks. IPsec “interface” mode is not yet covered in the troubleshooting guide, but traffic-selector matching can be turned off in interface mode.

Double check the selector points to the correct IPsec policy.

Are there counters on the “in” and “out” selector moving? If so, the problem may be elsewhere, such as the Virtual Server config.

Refer to View Traffic Selector for information about viewing traffic selectors.

Top | Flowchart | Contents