F5 APM with IPV6 Network ACLs

I ran into an issue while configuring an F5 SSLVPN for IPV6 last night, and googling it didn’t return anything of use.. so here we are again!

This is for the IPV6 LAN Address Space option, under Client Settings in the Network Settings tab under… don’t hold your breath…

Access ›› Connectivity / VPN : Network Access (VPN) : Network Access Lists : (yourprofile)

I know they’re complex, but the configuration’s getting hilariously convoluted to find sometimes.

Here it is in the GUI:

F5 IPv6 Address Space

Turns out instead of putting 1111:4eb8:2003:4000:: in one field and 64 in the mask you have to put the whole mask so if you’ve got a 64 bit mask, it’s FFFF:FFFF:FFFF:FFFF::

In v13 there doesn’t seem to be verbage in the console for adding/removing, so it’s an explicit “configure them all at once, every time” kind of thing.

To set a single subnet for a policy called example:

modify apm resource network-access example ipv6-address-space-include-subnet { { subnet 1111:4eb8:2003:4000::/64 } }

Or if you have a second one to add, it’s very similar:

modify apm resource network-access example ipv6-address-space-include-subnet { { subnet 1111:4eb8:2003:4000::/64 } { subnet 1111:4eb8:2003:4001::/64 } }

All done, have fun!


Tags: F5