Netskope IPSec with F5 BIG-IP Local Traffic Manager
Netskope IPSec with F5 BIG-IP Local Traffic Manager
Netskope supports Internet Protocol Security (IPSec) tunnels as a traffic steering method. IPSec tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope IPSec gateway. When you create IPSec tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your firewall.
This guide illustrates how to configure IPSec tunnels between Netskope and the F5 BIG-IP system running version 15.1.10.2 and using the 2-Arm deployment mode. To learn more about the CLI steps in F5 BIG-IP TMOS, see the F5 Documentation.
Following is an overview of the F5 BIG-IP Local Traffic Manager (LTM):
-
VLAN
-
external (interface 1.1/untagged)
-
internal (interface 1.2/untagged)
-
-
Subnet/Self IPs
-
external: 10.0.10.245/24
-
internal: 10.0.20.245/24
-
-
Routes: default (0.0.0.0/0): 10.0.10.1

Prerequisites
Before configuring IPSec, review the Netskope guidelines. On the F5 BIG-IP LTM:
-
Ensure F5 BIG-IP has the routes to reach the Netskope POPs.
-
Ensure Ports 500 and 4500 for UDP are allowed on the firewall.
-
Depending on your architecture, you might have to create a Forwarding IP Virtual Server on F5 BIG-IP LTM to receive the traffic from the internal segment.
Creating IPSec Tunnels in Netskope
To create the IPSec VPN tunnels for the F5 BIG-IP system in the Netskope UI, see Creating an IPSec Site.
Creating the Traffic Selector in F5 BIG-IP LTM
-
Go to Network > IPsec > Traffic Selector > Create.
-
Enter a name for the traffic selector.
-
In Configuration:
-
Source IP Address or CIDR: Enter the source. This can be any IP address or subnet. In this example, it’s 10.0.20.0/24.
-
Source Port: (Optional) Enter any source ports.
-
Destination IP Address or CIDR: Enter the destination. This can be any IP address or subnet. In this example, it’s any (0.0.0.0/0).
-
Destination Port: (Optional) Enter any destination ports. If you want to send only the web traffic to Netskope, you can set the destination port as 80 and then create another traffic selector with the destination port set to 443.
-
Protocol: Choose the protocols you want to send through the IPSec tunnel. In this example, it’s All Protocols. If you want to send only web traffic to Netskope, choose TCP.
-
Direction: Choose Both.
-
Action: Use the default option.
-
IPsec Policy Name: Click the + sign to create an IPSec policy. See the next section for the steps.
-
Creating the IPSec Policy
-
Enter a name for the IPSec policy.
-
In Configuration:
-
IPsec Protocol: Choose ESP.
-
Mode: Choose Tunnel.
-
Tunnel Local Address: Enter the self IP address from which the IPSec tunnel will be created. Usually, it’s an RFC 1918 IP address; however, if a public IP is assigned as the self IP, then it’s the public IP.
-
Tunnel Remote Address: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.
-
-
In IKE Phase 2, configure the parameters below. To see a list of the Netskope supported IPSec parameters: IPSec.
-
Click Save.
-
On the Traffic Selector page, for the IPsec Policy Name, choose the IPSec policy you just created.
-
Click Save.
Creating the IKE Peer
TBD
-
Go to Network > IPsec > IKE Peers > Create.
-
Enter a name for the IKE Peer.
-
In General Properties:
-
Remote Address: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.
-
State: Choose Enabled.
-
Version: Choose Version 2.
-
-
In IKE Phase 1 Algorithms, configure the parameters below. To see a list of the Netskope supported IPSec parameters: IPSec.
-
Authentication Algorithm: Choose SHA-256.
-
Encryption Algorithm: Choose AES256.
-
Pseudo-Random Function v2 only: Choose SHA-256.
-
Perfect Forward Secrecy: Netskope doesn’t support PFS in IKE Phase 1.
-
Lifetime: Enter 1440 minutes.
-
-
In IKE Phase 2 Credentials:
-
In Common Settings:
-
Traffic Selector: Choose the traffic selector you created above.
-
NAT Traversal: Choose On.
-
Passive: Leave unselected.
-
Presented ID Type: Choose Address.
-
Presented ID: Choose Override:
-
Presented ID Value: Enter the public IP address with which F5 BIG-IP tries connecting to Netskope. It should be the NAT’ted public IP.
-
Verified ID Type: Choose Address.
-
Verified ID: Choose Override.
-
Verified ID Value: Enter the IPSec Gateway IP address of the primary Netskope POP you copied in the Netskope UI.
-
Proxy Support: Choose Enabled.
-
DPD Delay: Enter 30 seconds.
-
Replay Window Size: Enter 64 packets.
-
-
Click Save.
Verifying the IPSec Tunnel Status
On Netskope:


On the F5 BIG-IP LTM:

Troubleshooting
To troubleshoot on Netskope:
-
Contact Netskope Support to check the Sumo Logs to see if there are any errors when the IKE Phase 1 request hits Netskope.
-
Review the recorded session referred in the related article.
To troubleshoot on the F5 BIG-IP LTM:
-
Go to Network > IPsec > IKE Daemon > Set Log Level to Debug2. Logs will be in the
/var/log/racoon.log
file. -
Generate traffic that matches the traffic selector. Run
tcpdump
to check if the traffic generated from the client to Netskope is hitting F5. -
Wait a couple of minutes. If the tunnel isn’t up tmipsecd daemon might need a restart:
# tmsh restart /sys service tmipsecd
-
Verify if the Local Tunnel Address and Remote Tunnel Address in the IPsec Policy are correct.
-
Verify the Presented ID Value and Verified ID Value in the IPsec Policy are correct.
-
Check if the cipher suites in IPsec Policy and IKE Peers configuration are the same as the ones in the Netskope UI.