Netskope IPSec with F5 BIG-IP Local Traffic Manager

Netskope IPSec with F5 BIG-IP Local Traffic Manager

Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your firewall. 

This guide illustrates how to configure IPSec tunnels between Netskope and the F5 BIG-IP system running version 15.1.10.2 and using the 2-Arm deployment mode. To learn more about the CLI steps in F5 BIG-IP TMOS, see the F5 Documentation.

Following is an overview of the F5 BIG-IP Local Traffic Manager (LTM):

  • VLAN

    • external (interface 1.1/untagged)

    • internal (interface 1.2/untagged)

  • Subnet/Self IPs

    • external: 10.0.10.245/24

    • internal: 10.0.20.245/24

  • Routes: default (0.0.0.0/0): 10.0.10.1

Prerequisites

Before configuring IPSec, review the Netskope guidelines. On the F5 BIG-IP LTM:

  • Ensure F5 BIG-IP has the routes to reach the Netskope POPs.

  • Ensure Ports 500 and 4500 for UDP are allowed on the firewall.

  • Depending on your architecture, you might have to create a Forwarding IP Virtual Server on F5 BIG-IP LTM to receive the traffic from the internal segment.

Creating IPSec Tunnels in Netskope

To create the IPSec tunnels for the F5 BIG-IP system in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > IPSec.
  2. Click Add New Tunnel.
  3. In the Add New IPSec Tunnel window:
    • Tunnel Name: Enter a name for the IPSec tunnel.
    • Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the F5 firewall that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    • Source Identity: Enter an IP address, a fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
    • Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your F5 firewall. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

      Note

      FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    • Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your F5 firewall. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
    • Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
    • Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
    • Advanced Settings: Click to view the following options.
      • Rekey: Select to rekey SAs when they expire. Netskope recommends using the default setting.
      • Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
      • Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
        • Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
        • Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
    The Add New IPSec Tunnel window configured for F5 firewall.
  4. Click Add.

Creating the Traffic Selector in F5 BIG-IP LTM

  1. Go to Network > IPsec > Traffic Selector > Create.

  2. Enter a name for the traffic selector.

  3. In Configuration:

    • Source IP Address or CIDR: Enter the source. This can be any IP address or subnet. In this example, it’s 10.0.20.0/24.

    • Source Port: (Optional) Enter any source ports.

    • Destination IP Address or CIDR: Enter the destination. This can be any IP address or subnet. In this example, it’s any (0.0.0.0/0).

    • Destination Port: (Optional) Enter any destination ports. If you want to send only the web traffic to Netskope, you can set the destination port as 80 and then create another traffic selector with the destination port set to 443.

    • Protocol: Choose the protocols you want to send through the IPSec tunnel. In this example, it’s All Protocols. If you want to send only web traffic to Netskope, choose TCP.

    • Direction: Choose Both.

    • Action: Use the default option.

    • IPsec Policy Name: Click the + sign to create an IPSec policy. See the next section for the steps.

Creating the IPSec Policy

  1. Enter a name for the IPSec policy.

  2. In Configuration:

    • IPsec Protocol: Choose ESP.

    • Mode: Choose Tunnel.

    • Tunnel Local Address: Enter the self IP address from which the IPSec tunnel will be created. Usually, it’s an RFC 1918 IP address; however, if a public IP is assigned as the self IP, then it’s the public IP.

    • Tunnel Remote Address: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.

  3. In IKE Phase 2, configure the parameters below. To see a list of the Netskope supported IPSec parameters: IPSec.

    • Authentication Algorithm: Choose SHA-256.

    • Encryption Algorithm: Choose AES-256.

    • Perfect Forward Secrecy: Choose NONE.

    • IPComp: Choose NONE.

    • Lifetime: Enter 1440 minutes.

    • KBLifetime: Enter 0 kilobytes.

  4. Click Save.

  5. On the Traffic Selector page, for the IPsec Policy Name, choose the IPSec policy you just created.

  6. Click Save.

Creating the IKE Peer

TBD

  1. Go to Network > IPsec > IKE Peers > Create.

  2. Enter a name for the IKE Peer.

  3. In General Properties:

    • Remote Address: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.

    • State: Choose Enabled.

    • Version: Choose Version 2.

  4. In IKE Phase 1 Algorithms, configure the parameters below. To see a list of the Netskope supported IPSec parameters: IPSec.

    • Authentication Algorithm: Choose SHA-256.

    • Encryption Algorithm: Choose AES256.

    • Pseudo-Random Function v2 only: Choose SHA-256.

    • Perfect Forward Secrecy: Netskope doesn’t support PFS in IKE Phase 1.

    • Lifetime: Enter 1440 minutes.

  5. In IKE Phase 2 Credentials:

    • Authentication Method: Choose Preshared Key.

    • Preshared Key: Enter the same pre-shared key you entered in the Netskope UI.

    • Verified Preshared Key: Renter the pre-shared key.

  6. In Common Settings:

    • Traffic Selector: Choose the traffic selector you created above.

    • NAT Traversal: Choose On.

    • Passive: Leave unselected.

    • Presented ID Type: Choose Address.

    • Presented ID: Choose Override:

    • Presented ID Value: Enter the public IP address with which F5 BIG-IP tries connecting to Netskope. It should be the NAT’ted public IP.

    • Verified ID Type: Choose Address.

    • Verified ID: Choose Override.

    • Verified ID Value: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.

    • Proxy Support: Choose Enabled.

    • DPD Delay: Enter 30 seconds.

    • Replay Window Size: Enter 64 packets.

  7. Click Save.

Verifying the IPSec Tunnel Status

On Netskope:

On the F5 BIG-IP LTM:

Troubleshooting

To troubleshoot on Netskope:

  • Contact Netskope Support to check the Sumo Logs to see if there are any errors when the IKE Phase 1 request hits Netskope.

  • Review the recorded session referred in the related article.

To troubleshoot on the F5 BIG-IP LTM:

  • Go to Network > IPsec > IKE Daemon > Set Log Level to Debug2. Logs will be in the /var/log/racoon.log file.

  • Generate traffic that matches the traffic selector. Run tcpdump to check if the traffic generated from the client to Netskope is hitting F5.

  • Wait a couple of minutes. If the tunnel isn’t up tmipsecd daemon might need a restart:

    # tmsh restart /sys service tmipsecd
  • Verify if the Local Tunnel Address and Remote Tunnel Address in the IPsec Policy are correct.

  • Verify the Presented ID Value and Verified ID Value in the IPsec Policy are correct.

  • Check if the cipher suites in IPsec Policy and IKE Peers configuration are the same as the ones in the Netskope UI.

Share this Doc

Netskope IPSec with F5 BIG-IP Local Traffic Manager

Or copy link

In this topic ...