Friday, October 13, 2017

F5 DTLS edgeclient sslvpn

In this blog we will look at  DTLS setup for a F5 APM access-policy &  for remote-sslvpn clients.

To enable DTLS, you need to craft virtual-server and enabled  the  protocol UDP. Also within the Access Policy you have to enable the DTLS option.  The port you enable in the access-policy network-access  settings,  must match the virtual-server configuration for the destination-address.


Here's a simple Virtual-Server for support DTLS using the  connection profile

Notice: protocol UDP  and port 4433











The apm policy network resource needs the DTLS check box enabled and the defined service port which should match the ltm virtual server  service-port.  { access-policy > network-access > setting  }




If you monitor the  client access details from  the tmsh,  you will see no reference to  DTLS v1.0 being used directly.

e.g










But  to validate DTLS usage ,    monitor  the  statistics for the  ltm  profile  client-ssl profile, use the  grep to-match on DTLS.


or;



When the edeg-client connect you will see the   edge-client statistics listing the connect as DTLS and the  cipher that's  in use for the session.




And the apm log message will display a output that's similar  when a client negotiates  a DTLS v1.0 connection.






  • if the client can't negotiate DTLS the  client will falback to  TLS.
  • beware of any forward proxies preventing   DTLS negotiation for port  4433 and udp
  • any local and remote firewall could prevent access to port udp.port == 4433
  •  initial contact is via  TLS but if the APM and client negotiate  DTLS the  data path will be switched to DTLS.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




No comments:

Post a Comment