Symptoms

The default-traffic-selector-interface is IPv6-IPv6 by default. This causes the IPsec ESP to drop the decrypted non-IPv6 packets inside the IPsec tunnel.

Impact

Unable to send IPv4 traffic over IPv6 IPsec tunnel interface. Service unreachable.

Conditions

Configure IPsec tunnel interface such that the IPsec tunnel is IPv6, and the internal packet is IPv4.

Workaround

N/A.

Fix Information

The fix would examine the internal packet of IPsec ESP tunnel by looking at the IPv4/6 header version field.

Behavior Change