Last Modified: Jul 24, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5
Fixed In:
17.0.0, 15.1.5.1, 14.1.4.6
Opened: Nov 01, 2021 Severity: 2-Critical
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server. The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.
Sophos clients cannot start an IPsec tunnel.
-- Sophos client is installed on remote user devices. -- Sophos firewall is the remote endpoint in the IPsec tunnel. Note: The Sophos client and firewall combination is the only known failing use-case.
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels. Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this: when SERVER_DATA { # Only execute on first server side packet of conflow. event disable if { [UDP::payload length] < 40 } { return; } binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type # Depending on throughput, the amount of logging here may be problematic #log local0. "payload_type : $payload_type" #log local0. "ver : $ver" #log local0. "exch_type : $exch_type" #log local0. "noti_type : $noti_type" if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } { log local0. "Closing ipsecalg connection" after 1 { reject } } }
Sophos clients can now bring up an IPsec tunnel with a Sophos firewall.