Bug ID 747013: Add OCSP server support to IKEv2 negotiation for IPsec peer authentication

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7

Fixed In:
15.1.0, 14.1.2.8

Opened: Oct 16, 2018

Severity: 3-Major

Symptoms

There is no support for OCSP in IPsec.

Impact

If a peer is not using certificates, nothing happens. But if using certificates, the ike-peer's certificate is authenticated with the OCSP server, using asynchronous HTTP request during the middle of the IKE_AUTH exchange in IKEv2. Success permits new SA (security association) creation, while failure causes IKEv2 negotiation failure, denying an SA.

Conditions

When and IPsec ike-peer uses certificates, the name of a locally defined OCSP cert-validator object can be specified in new attribute ocsp-cert-validator, so the OCSP server is contacted during IKE negotiation, to authenticate the peer's certificate.

Workaround

None, this is a code improvement.

Fix Information

IKEv2 negotiation of SAs in IPsec now supports OCSP for certificate authentication. This requires the definition of and OCSP cert-validator in configuration, followed by adding the name of this object to attribute ocsp-cert-validator in the ike-peer configuration definition. Note: You can use this feature with IKEv2 but not IKEv1.

Behavior Change

You can now add the name of an OCSP cert-validator to ike-peer in IPsec, to make a peer's certificate require authentication by OCSP before IKE negotiation succeeds and an SA (security association) is created. For docs on the new ocsp-cert-validator attribute see this help info: tmsh help net ipsec ike-peer For docs on how to create an instance of the OCSP object, see this help info: tmsh help sys crypto cert-validator ocsp The name must include the partition prefix. For example, If you create an instance named 'my_ocsp_srv' in the Common partition, then set ocsp-cert-validator like this: tmsh modify net ipsec ike-peer peer_ocsp ocsp-cert-validator /Common/my_ocsp_srv This new attribute is only used when 1) the ike-peer also uses certificates, and 2) an instance of OCSP cert-validator with that name is found in configuration. When creating the OCSP object instance, you likely want a shorter timeout in order to minimize the effect of caching responses from the OCSP server. For example: tmsh create sys crypto cert-validator ocsp my_ocsp_srv dns-resolver my_dns timeout 4 cache-timeout 5 cache-error-timeout 5 responder-url http://10.100.145.64:8888 clock-skew 900 The cache-timeout and cache-error-timeout values cannot be smaller than timeout, so adding one second to the timeout value is suggested. Note if the responder-url has and explicit IP address, as shown above in the example, then a DNS resolver will not actually be used, so you can provide a dummy: tmsh create net dns-resolver my_dns forward-zones add { net { nameservers add { 10.20.20.100:53 } } } route-domain 0 The IP address given for my_dns above does not matter, because it will not be used. So my_dns merely serves to satisfy OCSP cert-validator creation, which requires either a dns-resolver or a proxy-server-pool in the command line. If an ike-peer uses certificates, and attribute ocsp-cert-validator is the name of a configured OCSP cert-validator instance, then during IKEv2 negotiation, the OCSP server will be contacted to authenticate the remote peer's certificate, during the IKE_AUTH exchange. This happens right after the AUTH signature payload is authenticated. If the OCSP server returns good status, negotiation succeeds and a new SA is created. Otherwise, for example if the OCSP says the peer's certificate has been revoked, then negotiation fails because the peer is not authenticated. Note: IKEv1 is not supported in this behavior change.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips