Bug ID 504354: IPv6 IPsec tunnel not responding to remote ESP packets that encapsulate IPv4 packet

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Fixed In:
12.0.0

Opened: Feb 03, 2015

Severity: 3-Major

Symptoms

The default-traffic-selector-interface is IPv6-IPv6 by default. This causes the IPsec ESP to drop the decrypted non-IPv6 packets inside the IPsec tunnel.

Impact

Unable to send IPv4 traffic over IPv6 IPsec tunnel interface. Service unreachable.

Conditions

Configure IPsec tunnel interface such that the IPsec tunnel is IPv6, and the internal packet is IPv4.

Workaround

N/A.

Fix Information

The fix would examine the internal packet of IPsec ESP tunnel by looking at the IPv4/6 header version field.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips