Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6
Opened: May 22, 2015 Severity: 3-Major
IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BIG-IP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.
BIG-IP cannot accomplish certain services provided on the BIG-IP host, such as BGP over TCP.
Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.
A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example, ltm virtual http_host { destination 10.99.0.11:80 ip-forward ip-protocol tcp mask 255.255.255.255 profiles { fastl4_stateless { } } rules { local_node } source 0.0.0.0/0 translate-address disabled translate-port disabled } ltm rule local_node { when CLIENT_ACCEPTED { node 127.0.0.1 80 } } 10.99.0.11 is the self-IP of the IPsec tunnel interface.
BIG-IP can properly handle TCP/UDP connections to the BIG-IP over IPsec interface using its tunnel self-IP.