Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0
Opened: Jan 29, 2016 Severity: 3-Major Related Article:
K00334323
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like: INFO: Reading configuration from "/etc/racoon/racoon.conf" ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required. ERROR: fatal parse failure (1 errors) ERROR: failed to parse configuration file.
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.
Check for Perfect Forward Secrecy 'None' option in the configuration infrastructure and reject if this option is configured.