Bug ID 570839: IPsec IKE-v2 Peer UI does not prevent configuration of 'NONE' option using Microsoft Internet Explorer.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0

Opened: Jan 29, 2016
Severity: 3-Major
Related AskF5 Article:
K51200424

Symptoms

The IPsec configuration utility (web UI) allows configuration of an invalid option "NONE" for Perfect Forward Secrecy when Internet Explorer browser is in use.

Impact

The racoon daemon will fail to start and all tunnels may fail to work. The racoon.log file may contain messages like: 2016-09-14 16:32:16: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2016-09-14 16:32:16: ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required. 2016-09-14 16:32:16: ERROR: fatal parse failure (1 errors) 2016-09-14 16:32:16: ERROR: failed to parse configuration file.

Conditions

IPsec IKE-v2 Peer created with 'None' option for Perfect Forward Secrecy from GUI.

Workaround

'None' option for Perfect Forward Secrecy in IPsec IKE Peer creation page is an invalid option and should not be selected.

Fix Information

Configuration utility (web UI): Removed 'None' option for Perfect Forward Secrecy in IPsec IKE Peer creation page.

Behavior Change