Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1
Fixed In:
16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5
Opened: Apr 19, 2020 Severity: 3-Major
IPsec tunnels fails to remain established after initially working. On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer. This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
- IPsec IKEv2 tunnel. - A remote peer that is not another BIG-IP system. - Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Do not use ECP for PFS.
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.