Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2
Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1
Opened: Aug 24, 2015 Severity: 3-Major Related Article:
K59519340
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.
When NAT-T is enabled, IPsec tunnel cannot be established.
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.
None.
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.