The color of the icon in the Tunnel State or security association (SA) State column indicates the condition of the connection.
• Green indicates that the tunnel is up and running.
• Blue indicates that the SA is in the negotiating phase, before the tunnel is up. • Yellow indicates that the SA is still valid, but will be deleted soon.
• Red indicates that the tunnel is down.
Figure 20: Example of IPsec Stat Details tab diagnostics
Figure 21: Example of IPsec Security Association Details tab diagnostics
112
Index
A
ARP entries
populating manually for virtual network segments19
authentication algorithms negotiating45, 57, 71
B
BIG-IP monitor type37
C
certificates, See x509 certificates. cloud
about connectivity in15
config sync
about behavior with NVGRE tunnels in HA pair30
disabling for tunnels26
configuration synchronization syncing to group38 connections and VM migration33 dropping38, 43 preserving34
custom IPsec policies68
D
DAG tunnel
specifying a port number24
default IPsec policies47, 61, 68
destination IP addresses
for traffic selectors43, 49, 61, 69, 76, 87, 92, 102
diagnostics
example for IPsec tunnel111
for IPsec tunnels111
E
encapsulation
creating tunnels for10, 12
encryption algorithms negotiating45, 57, 71
encryption contents45, 72, 84
EtherIP configuration results38, 43
EtherIP profile type
and self IP addresses35, 40
purpose of35, 40
EtherIP protocol33
EtherIP tunneling34
EtherIP tunnels and IPsec39
and self IP addresses35, 40
defined33
purpose of35, 40
F
FDB entries
populating manually for virtual network segments19
forwarding virtual servers
creating for IPsec47, 59, 68, 73, 84, 92, 102
H
high availability and tunnels26
and VXLAN26
HNV routing domain
configuring per-subnet tunnels for31
Hyper-V
about NVGRE tunnel representation for30
I
IKE (Internet Key Exchange) defined45, 57, 71
IKE peers
defined46, 58, 72
for data exchange45, 57, 71
IKE Phase 1
configuring50, 59, 73
interfaces
tagging34, 39
Internet Key Exchange, See IKE (Internet Key Exchange) IPComp
about46, 58
IP header encryption45, 57, 72, 84
IPsec configuration result55, 66, 81
IPsec configurations
prerequisites for91, 101
IPsec diagnostics
examples of statistics displayed111
IPsec IKE peers creating50, 59, 73
creating for NAT-T92, 102
IPsec interface tunnel creating70
overview67
IPsec policies
creating47, 61, 68, 75, 85
creating for EtherIP traffic42
creating for NAT-T92, 102
defined46, 58, 72
IPsec profiles customizing69
IPsec protocol
about diagnostics for111
and EtherIP tunnels39
and prerequisites for configuring67
diagnosing tunnel issues111
prerequisites for configuring46, 58, 72, 84
purpose of46, 58, 72, 84
113 Index
IPsec protocol suite
components of46, 58, 72
described45, 57, 71, 83
IPsec security associations creating manually86
IPsec traffic selectors creating49, 61, 69, 76
creating for EtherIP traffic43
creating for manually keyed security associations87
creating for NAT-T92, 102
defined46, 58, 72
viewing diagnostics for111
IPsec Transport mode, See Transport mode IPsec tunnel
creating for NAT-T92, 102
verifying connectivity51, 77, 88, 95, 106
IPsec Tunnel mode, See Tunnel mode IP tunneling
about9
about transparent13
creating point-to-point10
creating transparent13
ISAKMP-SA security association45, 57, 71
iSession
and IPsec with NAT-T91, 101
L
L2 location records
populating manually19
live migration
and existing connections34
of virtual machines33
local pool members load balancing to33
M
MAC addresses
adding to virtual network forwarding table19
removing from virtual network forwarding table19
MAC frames
and tunneling33
manual security associations creating IPsec policies for85
monitors
for EtherIP tunneling37
N
NAT traversal and IPsec101 using IPsec91, 101 negotiation of security associations45, 57, 71 network virtualizationabout tunneling types for18
centralized vs. decentralized model17
configuring BIG-IP system as gateway15
creating tunnels for16
network virtualization tunnels considerations for configuring19
NVGRE
about configuration in an HA pair30
about configuring for HA pair29
about tunnel representation for Hyper-V30
about using BIG-IP system as gateway for31
configuration example using tmsh20
configuring for BIG-IP system as gateway31
configuring tunnel for HA pair30
defined17
O
overlay networks
about using NVGRE for30
and VXLAN tunnels25
bridging traffic to physical network25
using VXLAN23
OVSDB management component
about configuring VXLAN tunnels with26
setting up27
P
packet encryption45, 72, 84
payload encryption45, 57, 72, 84
Phase 1 negotiation
and IKE protocol45, 57, 71, 83
defined45, 57, 71 Phase 2 negotiation defined45, 57, 71 point-to-point tunnels about9 creating10 example12 policies
defined for IPsec46, 58, 72
pool members
as virtual machines33
prerequisites
for configuring IPsec91, 101
profiles
customizing for IPsec tunnel interface69
for EtherIP tunneling35, 40
R
remote pool members load balancing to33
routes
and tunnels11
S
SAs (security associations) creating IPsec policies for85
creating manually86
secure channels
about establishing83
establishing45, 57, 67, 71, 91, 101
security associations
creating IPsec policies for85
114 Index
security associations (continued) creating manually86
negotiating45, 57, 71
self IP addresses
and VLAN groups37, 42
and VLANs36, 41
creating36, 41
creating for IP tunnels11, 70
creating for IPv4 VLAN group37, 42
source ports
and traffic selectors49, 61, 76, 87
SSL protocol alternative to45, 57, 67, 71, 83
T
traffic groups and tunnels14 traffic selectorsSee also IPsec traffic selectors creating49, 61, 69, 76
creating for EtherIP traffic43
creating for manually keyed security associations87
defined46, 58, 72
See also IPsec traffic selectors Transparent Ethernet Bridging
described17 transparent tunnels about13 creating13 Transport mode security implications of57 verifying connectivity63 Tunnel mode defined45, 72, 84 verifying connectivity51, 77, 88, 95, 106 tunnel protocols listing supported9 tunnels about9
about BIG-IP to multiple devices12
about point-to-point9
about static configuration for network virtualization19
about transparent13
about types used for network virtualization18
adding routes for11
and config sync behavior14
and HA configurations14
and self IP addresses11, 70
and traffic group setting14
configuring for network virtualization15–16
configuring inbound-only for NVGRE gateway31
configuring per subnet for HNV routing domain31
creating between BIG-IP and unknown device12
creating for VXLAN25
creating IPsec interface type70
creating point-to-point10
creating transparent13
example of diagnostics for IPsec111
example of point-to-point12
specifying IPsec traffic selector69
tunnels (continued) viewing statistics for22
V
Virtual eXtended LAN, See VXLAN virtualized networks
about tunneling types for18
configuring BIG-IP system as gateway for15
configuring on BIG-IP system16
terminology defined16
Virtual Location monitors creating37
defined33, 37
virtual machines
and pool members33
migrating34
virtual servers
See also forwarding virtual servers
listening on VXLAN VNI command example22
See also forwarding virtual servers VLAN groups
and self IP addresses37, 42
creating for EtherIP tunnels35, 40
creating for VXLAN25
VLANs
and self IP addresses36, 41
creating34, 39
modifying for DAG tunnel25
tagged interfaces for34, 39
VMware vMotion33
VTEP entries
adding to virtual network forwarding table19
VXLAN about23
about configuring BIG-IP system as gateway23
adding virtual server command example22
and high availability26
bridging with L2 VLAN network23
configuration example using tmsh21
considerations for configuring24
creating tunnels for25
creating VLAN groups for25
multicast mode defined17
pre-requisites for configuring24
terminology defined16
unicast mode defined17
W
WAN traversal
about using IPsec83
using IPsec45, 57, 67, 71
wide area networks and live migration33
X
x509 certificates
and IKE peers50, 59, 73
115 Index
116 Index