Tunneling

Objective
Prerequisites
Create a Tunnel
Concepts
API References

Objective

This guide provides instructions on how to configure a tunnel for your site. F5® Distributed Cloud Services support the IPsec tunnel type with Pre-Shared Key (PSK).

Tunnel configuration allows you to specify parameters for configuring static tunnels. Configuration involves specification of encapsulation and related parameters to be used for this tunnel's Payload traffic.

Prerequisites

F5 Distributed Cloud Account is required.

Note: In case you do not have an account, see Create an Account.

One or more registered sites in the enterprise tenant.

Note: If you do not have a registered site, see How-to Create a Site.

Create a Tunnel

Perform the following steps to create a tunnel in F5 Distributed Cloud Console :

Step 1: Navigate to the tunnels page and start creating a tunnel.

From the Home screen, click Cloud and Edge Sites under All Services.
In the Manage section of the configuration menu, select Networking from the options pane and then Tunnels to see a list of existing tunnels. Then click Add Tunnel.

Figure: Tunnel metadata
In the Metadata section,
- Enter a unique name for the tunnel.
- Optionally, set labels and description, as necessary.
In the Tunnel Type section, select a tunnel type. Currently only IPSEC with PSK is supported.

Step 2: Configure the Local IP Address selector.

In the Type dropdown, choose between Local Interface and Local IP Address Type.

Local Interface: In the Local Interface dropdown, select a network interface.

Figure: Tunnel metadata
Local IP Address Type: In the second Type dropdown, choose between Local IP Address Type and Auto IP:

Figure: Tunnel metadata
- Local IP Address Type:
  - Select either IPv4 or IPv6 for the address version, and then enter the corresponding IP address into the address field.
  - Select a local virtual network from the dropdown.
- Auto IP: Select a local virtual network from the dropdown.

Step 3: Configure the Remote IP Address selector.

In the Type dropdown, choose between Remote IP address and Remote Endpoints.

Remote IP Address: Select either IPv4 or IPv6 for the address version, and then enter the corresponding IP address into the address field.

Figure: Tunnel metadata
Remote Endpoints: Use the Add Item button to add remote endpoints. For each endpoint you add, follow these steps:

Figure: Tunnel metadata
- Enter the node for the tunnel in the Node field in the form of site:node (site is optional).
- Click Configure, select either IPv4 or IPv6 for the address version, and then enter the corresponding IP address into the address field.

Step 4: Enter the tunnel parameters.

tunneling parameters — Figure: Tunnel metadata

In the Type field, select the tunnel type.

Note: Only IPSEC is currently supported, so there are no other choices.

In the Secret Info dropdown, choose between Blindfold Secret and Clear Secret.

Blindfold Secret

This option will cause all traffic to be encrypted using F5 Distributed Cloud Blindfold in addition to the protocols and encryption used for IPSEC.

For the Policy dropdown, select between Built-in and Custom. Then select the appropriate policy in the associated dropdown.
Choose the type of secret you will enter. If you have not already created a Blindfold Secret or want to create a new one, then choose between TEXT, otherwise choose Built-In
Text: Enter your cleartext secret and press Blindfold. You can use the Edit button to see and/or copy your encrypted Blindfold Secret.
Blindfold: Paste your existing Blindfold Secret into the text box.
For more information on Blindfold, see Secrets Management and Blindfold.

Clear Secret

This option will only use the protocols and encryption for IPSEC.

Choose between TEXT and base64(binary) for the type of secret you will enter. Then enter your secret in the format specified.

Step 5: Complete tunnel creation.

Press Save and Exit.

Note: Tunnel configuration becomes effective only when you attach the tunnel to a tunnel interface.

Concepts

API References

Site
BGP