Bug ID 570845: Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0

Opened: Jan 29, 2016
Severity: 3-Major
Related AskF5 Article:
K00334323

Symptoms

The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.

Impact

The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like: INFO: Reading configuration from "/etc/racoon/racoon.conf" ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required. ERROR: fatal parse failure (1 errors) ERROR: failed to parse configuration file.

Conditions

The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.

Workaround

Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.

Fix Information

Check for Perfect Forward Secrecy 'None' option in the configuration infrastructure and reject if this option is configured.

Behavior Change