Bug ID 1058645: ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5

Fixed In:
17.0.0, 15.1.5.1, 14.1.4.6

Opened: Nov 01, 2021

Severity: 2-Critical

Symptoms

Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server. The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.

Impact

Sophos clients cannot start an IPsec tunnel.

Conditions

-- Sophos client is installed on remote user devices. -- Sophos firewall is the remote endpoint in the IPsec tunnel. Note: The Sophos client and firewall combination is the only known failing use-case.

Workaround

The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels. Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this: when SERVER_DATA { # Only execute on first server side packet of conflow. event disable if { [UDP::payload length] < 40 } { return; } binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type # Depending on throughput, the amount of logging here may be problematic #log local0. "payload_type : $payload_type" #log local0. "ver : $ver" #log local0. "exch_type : $exch_type" #log local0. "noti_type : $noti_type" if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } { log local0. "Closing ipsecalg connection" after 1 { reject } } }

Fix Information

Sophos clients can now bring up an IPsec tunnel with a Sophos firewall.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips