Create External Connectors

Published June 5, 2025 | Last modified November 14, 2025

Objective

The External Connector on the Customer Edge (CE) allows standard IPSec connectivity to third-party devices such as routers and firewalls.

Note that IPSec supports both Tunnel Mode and Transport Mode. In Tunnel Mode, the entire inner IP packet, including both its IP header and payload, is encrypted and encapsulated within a new outer IP packet. In Transport Mode, only the payload of the inner packet is encrypted, while the original IP header remains intact and unencrypted. Currently, only Tunnel Mode is supported.

The figure below shows the topology with a 3-node CE site, where each node within the site has a tunnel towards the router, bringing a total of 3 IPSec tunnels from the site to the external device. Note that the number of nodes that terminate the tunnel is configurable. For example, you can have a 3-node site where only 2 nodes terminate the IPSec tunnel from the router.

Figure: 3 Node CE Site

Figure: 3 Node CE Site

Prerequisites

  • F5 Distributed Cloud Services account. If you do not have an account, see Getting Started with Console.

  • This is a CE only feature and has been verified to work with Mesh persona (not App Stack) for Orchestrated Sites (AWS VPC Site, AWS TGW Site, Azure VNET, GCP Site) in addition to manually deployed SMSv1 sites and SMSv2 sites.

  • You must run CE version ??? or greater.

High Level Configuration Steps

To configure an external connector successfully, it's crucial to understand that setting up an IPSec connection between the CE and the external device requires coordinated configuration on both ends. Specifically, the encryption, authentication, and key management algorithms must be compatible to ensure a successful tunnel establishment.

At a high level, the 3 configuration steps on the CE to configure an external connector to a 3rd Party device are as follows:

  1. Configure IKE Phase 1 Profile or use an existing profile. There is a default profile to simplify the configuration steps while still providing the highest security standards.

  2. Configure IKE Phase 2 Profile or use an existing profile. There is a default profile to simplify the configuration steps while still providing the highest security standards.

  3. Configure the External Connector whereby at a high level you will:

    • Attach the IKE Phase 1 & Phase 2 Profiles

    • Specify the remote peer address for the CE to know its peer

    • Choose the nodes & underlay interfaces that will be part of this connection

    • Configure Tunnel Addresses

    • Pre-shared Keys for IKE Authentication

Configuration

Create an External Connector

The external connector configuration will instantiate the IPSec tunnel(s) towards the peer device. As discussed in the Objective section, for a 3-node site, tunnels can originate from one, two, or all three nodes towards the external router.

Step 1: Configure IKE Phase 1 Profile.

  • Log into Console.

  • Select the Multi-Cloud Network Connect workspace.

Figure: Console Homepage

Figure: Console Homepage

  • Select Manage > Networking > IKE Profiles
Figure: IKE Profiles Page

Figure: IKE Profiles Page

  • Select the Phase 1 tab.

  • Select Add Phase 1 Profile.

Figure: IKE Phase 1 Profile Configuration

Figure: IKE Phase 1 Profile Configuration

  • In the Name field, enter the name for the phase 1 profile that provides ome relevance to its usage. Note that you can have a single profile across multiple connections.

  • Optionally add labels and enter a description.

  • Select one or more encryption algorithms (the default is AES256_GCM) using the Configure Encryption Algorithms drop-down menu.

    Note: This is an AEAD Algorithm (Authenticated Encryption with Associated Data) that combines encryption and authentication in one step, ensuring data confidentiality and integrity. If you select an AEAD algorithm, you shouldn't choose an authentication algorithm.

    Note: If you select a CBC (Cipher Block Chaining) encryption algorithm, you will need to select an authentication algorithm. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select one or more authentication algorithms (the default is No Authentication) using the Authentication Algorithms drop-down menu.

    Note: If you selected an AEAD algorithm, you can only choose No Authentication. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select one or more pseudo-random functions (the default is PRFSHA512) using the PseudoRandomFunction drop-down menu.

    Note: Your selection(s) will be used in IPSec to generate cryptographic keys from input data, such as a shared secret or session parameters. It ensures that the output keys are unpredictable and secure, providing the necessary keying material for encryption and authentication in the VPN. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select one or more Diffie-Hellman groups (the default is PRFSHA512) using the Diffie Hellman Groups drop-down menu.

    Note: Diffie-Hellman groups refer to predefined sets of parameters used in the Diffie-Hellman key exchange to determine the strength and security of the shared secret generated between two parties during key exchange. The default selection is Group 19. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select a key lifetime duration from the Key LifeTime drop-down menu (the default is Default (4 Hours)). This specifies the amount of time before the IKE Security Association needs to be renegotiated. If you select Minutes or Hours, then also enter the number of minutes or hours for the duration.

  • Select a timeout duration using the IKE Reauthentication drop-down menu. This is the amount of time for IKE peers to re-authenticate with one another. If you select Days or Hours, then also enter the number of days or hours for the duration.

  • Select Add Phase 1 Profile.

Step 2: Configure IKE Phase 2 Profile.

  • Select the Phase 2 tab.

  • Select Add Phase 2 Profile on the IKE Profiles page.

Figure: IKE Phase 2 Profile Configuration

Figure: IKE Phase 2 Profile Configuration

  • In the Name field, enter the name for the phase 2 profile that provides ome relevance to its usage. Note that you can have a single profile across multiple connections.

  • Optionally add labels and enter a description.

  • Select one or more encryption algorithms (the default is AES256_GCM) using the Configure Encryption Algorithms drop-down menu.

Note: This is an AEAD Algorithm (Authenticated Encryption with Associated Data) that combines encryption and authentication in one step, ensuring data confidentiality and integrity. If you select an AEAD algorithm, you shouldn't choose an authentication algorithm.

Note: If you select a CBC (Cipher Block Chaining) encryption algorithm, you will need to select an authentication algorithm. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select one or more authentication algorithms (the default is No Authentication) using the Authentication Algorithms drop-down menu.

Note: If you selected an AEAD algorithm, you can only choose No Authentication. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select Enable or Disable from the Perfect Forward Secrecy (PFS) drop-down menu. Enabling PFS ensures that the encryption keys used in a session are not derived from the Diffie-Hellman (DH) process that happened in phase 1. If enabled, choose the appropriate DH Group(s) (the default is DH Group 19).

Note: PFS often requires an additional Diffie-Hellman (DH) exchange during Phase 2 of the IKE process. Choosing more algorithms will help you find a Least Common Denominator (LCD) between the CE and the one or many peers it connects to.

  • Select a key lifetime duration from the Key LifeTime drop-down menu (the default is Default (4 Hours)). This specifies the amount of time before the IKE Security Association needs to be renegotiated. If you select Minutes or Hours, then also enter the number of minutes or hours for the duration.

  • Select Add Phase 1 Profile.

Step 3: Configure the External Connector
  • Select Manage > Networking > External Connectors.
Figure: External Connectors

Figure: External Connectors

  • Select Add External Connector.
Figure: External Connectors - Metadata

Figure: External Connectors - Metadata

  • Enter a name for the external connector that is relevant, as it describes a connection to a third party. For instance, if the remote peer device depicts branch 1 and we are connecting from ce-1, we can call it ce-1-branch-1-connection. The objective is to be able to identify from the name the exact usage of this external connector.

  • Optionally add labels and a description for more context.

  • Select a CE site from the CE Site Reference drop-down menu that is to connect to the external CE. Only one site can be selected.

  • In the Connection Details section, select the type of tunnel you want to create for your external connector.

  • Select IPsec from the Connection Type drop-down menu. An IPsec (Internet Protocol Security) tunnel is a secure connection between two endpoints over an untrusted network, such as the internet. IPsec is a suite of protocols designed to provide secure, encrypted communication at the network layer. It ensures that data transmitted between the endpoints remains private, authenticated, and integrity protected.

Figure: External Connectors - Details

Figure: External Connectors - Details

  • IKE Parameters section:

    • Select the profile you create in step 1 from the IKE Phase 1 Profile drop-down menu.

    • Select the profile you create in step 2 from the IKE Phase 2 Profile drop-down menu.

    • Select Initiator or Responder in the Mode drop-down menu. Initiator simply means that the CE will actively try to initiate connectivity to bring up the tunnel, whereas Responder means that the CE is in a waiting state and will only reply to connection attempts from the remote peer.

    • Select Enable or Disable in the Dead Peer Detection (DPD) drop-down menu. DPD is a method to determine if the IPSec peer is still active and responsive. If you enable DPD, then enter a value in the Keepalive Timer field. The keepalive timer specifies the frequency of the keep alive messages being sent (the default is 3 seconds).

    • Local IKE ID: By default, this will be set to IP address of the interface that is used to source the tunnel, and this should suffice for most cases. There are some corner scenarios that involve NAT where using the default option will not work, and it will be best to resort to a hostname. The only requirement for Local IKE ID is that the peer should set the remote IKE ID to be identical to it.

    • Remote IKE ID: By default, this will be set to IP address provided under the Remote Gateway IP address, and this should suffice for most cases. There are some corner scenarios that involve NAT where using the default option will not work, and it will be best to resort to a hostname. The only requirement for the remote IKE ID is that the peer should set its local IKE ID to be identical to it.

  • Tunnel Parameters section:

    Figure: External Connectors - Tunnel Parameters

    Figure: External Connectors - Tunnel Parameters

    • In the Remote Gateway IP Address section, enter the reachable IP address for the remote gateway. For instance, if the remote gateway is reachable over the public internet with a public address, then the remote Gateway IP Address would be the public address.

    • In the Tunnel Endpoint section, configure the participating CE nodes that will be part of this connection:

      • Select Add Item.

        Figure: External Connectors - Tunnel Parameters

        Figure: External Connectors - Tunnel Parameters

      • Select a Node for this endpoint that will be part of this external connection.

      • Select an Interface for the node selected above.

      • Enter both the local and remote tunnel IP addresses with their prefixes.

      • Select Apply to save this node to the list of tunnel endpoints.

      • If you want the tunnel to be sourced from multiple nodes, then select Add Item in the Tunnel Endpoint section and repeat this process for each of the remaining nodes.

    • Enter your Pre-Shared Key (PSK) in the Pre-Shared Key field. This PSK must match across the CE and the 3rd party device for proper establishment of the IPSec tunnel.

    • In the MTU (B) field, enter the maximum size (in bytes) of the packet that can be sent through the tunnel without the need to be fragmented.

    • Use the Segment/Network drop-down menu to select Site Local Network (Outside), Site Local Network (Inside), or Segment. If you select Segment, then also select a segment from the Segment drop-down menu.

      Note: The tunnel as an interface can be placed in one of the local networks: Site Local Outside and Site Local Inside or as part of the configured segments. For configured segments, the underlying interface of the tunnel (tunnel source) can’t be in a segment.

  • Select Add External Connector to save your external connector.

Monitor an External Connector

There are two ways to monitor an external connector. The first way is to check the status of the external connector through its tunnels and/or its BGP Peers.

View an external connector's status.

  • Log into Console and select the Multi-Cloud Network Connect workspace.

  • Navigate to Manage > Networking > External Connectors to see a list of your external connectors.

  • Select the name of an external connector in the list to open up a side panel showing the status of the connection per node.

Figure: Monitor an External Connector

Figure: Monitor an External Connector

Note: A site can have 3 nodes, and one, two, or all 3 nodes can be tunnel endpoints i.e. participating in the connection towards the remote device. Assuming that the tunnels are sourced from all 3 nodes, the side panel will show the individual status of the individual connections from each of the nodes within the site to the 3rd party device, and each of those can be Up/Down.

In addition, if you are using BGP, the second tab on the side panel will show the BGP peering status in the same manner from each of the 3 nodes.

The second way is to monitor the connectivity on the site.

Monitor external connector on site.

  • Log into Console and select the Multi-Cloud Network Connect workspace.

  • Navigate to Overview > Infrastructure > Sites to see a dashboard for all your sites.

  • In the Sites table at the bottom, select the name of your site (optionally, enter a portion of the site name in the Search field to help find your site in the table). This will bring up the dashboard for your site.

  • Scroll to the bottom of the page to see the Connectivity table and select the External tab to see all the external connections from the particular CE.

Figure: Monitor an External Connector

Figure: Monitor an External Connector

  • The Connection status can be one of three values: Up, Down, or Partially Up, where some but not all the connections from the nodes are up. Clicking on the connection status will show the state of the tunnels from each node.

  • Select the connection name to display the metrics of the connection in terms of the In throughput, Out Throughput, In Drop Rate and Out Drop Rate.

Configure Routing

With the IPSec tunnel up and verified, you need to ensure end-to-end connectivity between the workloads behind 3rd party device and the workloads behind the CE depicted as Virtual Machines (VMs) in the diagram below. The diagram below has been simplified to focus primarily on the tunnel interfaces by removing the underlying details.

Note that in the diagram below, the IPSec tunnel terminates on Node-1 and Node-3.

For end-to-end routing in the diagram below, we need to ensure that--

  1. The CE site across its nodes knows how to reach 172.16.2.0/24 (Subnet behind the 3rd party router) via the tunnel, and

  2. The Router knows how to reach 172.16.1.0/24 (Subnet behind CE site) via the tunnel.

This is possible either via BGP as the routing protocol of choice or via Static Routing. The diagram below shows BGP being used as the routing protocol.

Figure: External Connector Routing

Figure: External Connector Routing

Delete an External Connector

Perform the following steps to create a Cloud Connect:

Step 1: Navigate to the Cloud Connects page.
  • Log into Console and select the Multi-Cloud Network Connect workspace.
Figure: Console Homepage

Figure: Console Homepage

  • Select Manage > Networking > External Connectors.
Step 2: Delete a Cloud Connect.

  • Check the checkbox next to all external connectors you want to delete. Then select Delete Selected above the list.

    Figure: Delete an External Connector

    Figure: Delete an External Connector

  • Alternatively, select ... > Delete in the Actions column for the External Connector you want to delete.

    Figure: Delete an External Connector

    Figure: Delete an External Connector

  • Select Delete in the confirmation pop-up window.

Delete an IKE Profile

Step 1: Navigate to the IKE Profiles page.

  • Log into Console.

  • Click Multi-Cloud Network Connect.

Figure: Console Homepage

Figure: Console Homepage

  • Select Manage > Networking > IKE Profiles
Figure: IKE Profiles Page

Figure: IKE Profiles Page

Step 2: Delete a profile.

  • Select the Phase 1 or Phase 2 tab.

  • Check the checkbox for the profile you wish to delete. You may select more than one profile to delete.

Note: You can narrow your search for profiles by entering a string in the Search field at the top right of the table. The table will then only show lines that include what you entered.

Figure: Delete IKE Profiles

Figure: Delete IKE Profiles

  • Select Delete selected.

Limitations

Concepts

API References

On this page: