f5-declarative-onboarding
f5-declarative-onboarding copied to clipboard
F5Networks
RFE - IPsec tunnels
This is a request for enhancement (RFE).
REQUEST
Allow onboarding to create IPsec tunnels in both tunnel mode and interface mode.
BACKGROUND
A lot of customers already automate IPsec configuration setup, but they currently have to use either a bespoke iApp or scripted methods like Ansible.
TECHNICAL DETAILS
The following config objects need to be configured to set up an IPsec tunnel.
In tunnel mode:
- net ipsec ike-peer
- net ipsec ipsec-policy
- net ipsec traffic-selector
- net route # optional, a default route is normally enough
- ltm virtual # This can be done with AS3
In interface mode:
- net ipsec ike-peer
- net ipsec ipsec-policy # In tunnel mode
- net ipsec traffic-selector # Only one
- net tunnels ipsec
- net tunnels tunnel # Connected to "net tunnels ipsec" profile
- net self
- net route # mandatory - points to tunnel object
- ltm virtual # This can be done with AS3
EXAMPLE CONFIG
In these examples, the Virtual Server is omitted because that should be a function of AS3.
Tunnel Mode
net ipsec ike-peer ike-7-0-8-1 {
dpd-delay 0
phase1-auth-method pre-shared-key
phase1-encrypt-algorithm 3des
phase1-hash-algorithm sha1
preshared-key-encrypted <secret>
remote-address 172.16.8.1
version { v1 }
}
net ipsec ipsec-policy ipsec-7-0-8-1 {
ike-phase2-auth-algorithm sha1
ike-phase2-encrypt-algorithm 3des
ike-phase2-perfect-forward-secrecy modp1024
mode tunnel
tunnel-local-address 172.16.7.1
tunnel-remote-address 172.16.8.1
}
net ipsec traffic-selector selector-7-0-8-1-1 {
destination-address 10.8.1.1/32
ipsec-policy ipsec-7-0-8-1
source-address 10.7.1.1/32
}
net ipsec traffic-selector selector-7-0-8-1-2 {
destination-address 10.8.1.2/32
ipsec-policy ipsec-7-0-8-1
source-address 10.7.1.2/32
}
net route route-7-0-8-1 {
gw 172.16.8.1
network 10.8.1.0/24
}
Interface Mode
net ipsec ike-peer ike-1-0-2-2 {
dpd-delay 0
my-id-value <arbitrary local IP>
peers-id-value <arbitrary remote IP>
phase1-auth-method pre-shared-key
phase1-encrypt-algorithm 3des
phase1-hash-algorithm sha256
preshared-key-encrypted <secretkey>
prf sha256
remote-address <remote peer IP>
version { v1 }
}
net ipsec ipsec-policy ipsec-1-0-2-2 {
ike-phase2-auth-algorithm sha256
ike-phase2-encrypt-algorithm aes256
ike-phase2-perfect-forward-secrecy modp1024
mode interface
}
net ipsec traffic-selector selector-1-0-2-2-0 {
destination-address 10.2.2.0/24
ipsec-policy ipsec-1-0-2-2
source-address 10.1.2.0/24
}
net tunnels ipsec ipsec_interface {
defaults-from ipsec
traffic-selector selector-1-0-2-2-0
}
net tunnels tunnel ipsec_tunnel {
local-address <local external facing self IP>
profile ipsec_interface
remote-address <remote peer IP>
}
net self ipsec_int_self {
address <arbitrary local IP>/<mask>
allow-service {
tcp:bgp # It is possible to do BGP over the tunnel
}
traffic-group traffic-group-local-only
vlan ipsec_tunnel
}
net route to-remote-peer {
gw <my gateway IP>
network <peer remote IP>/32
}
net route to-remote-private {
interface /Common/ipsec_tunnel
network 10.2.2.0/24
}
SPECIAL NOTES
- In IKE version 2, traffic-selectors are attached to the ike-peer and the ipsec-policy.
- In interface mode, only one traffic-selector can be attached to the ipsec-policy.
- In interface mode, a route that points to the "net tunnels tunnel" object is mandatory.
- The ike-peer can use certificate authentication, but pre-shared keys serve the clear majority of use-cases.
Oh dear, github trimmed out all the triangle bracket parameters I added in the IPsec Interface example section...
Thank you for the thorough RFE. I fixed the formatting problem with the angle brackets, and I am reviewing this RFE for inclusion into our backlog.
Hi @dstokesf5 - was this feature ever implemented? This would be extremely useful to manage through DO.
@csiggydev It looks like AUTOTOOL-1684 is still floating around the backlog and is not currently planned for any release. Please reach out to @mdditt2000 and @sunitharonan if you wish to discuss prioritizing this feature request.