Bug ID 573245: IPsec Phase 1 and Phase 2 authentication algorithms now defaults to SHA-256.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Feb 11, 2016

Severity: 3-Major

Symptoms

IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1.

Impact

Security is not as good as it could be.

Conditions

When creating a 'net ipsec ipsec-policy' or creating a 'net ipsec ike-peer' and taking the defaults.

Workaround

Configure a higher level of security. e.g. SHA-256, SHA-384, or SHA-512.

Fix Information

IPsec Phase 1 and Phase 2 authentication algorithms now defaults to SHA-256.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips