Bug ID 636573: After changing ike-peer change from IKEv2 to IKEv1 racoon does not get updated.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jan 03, 2017
Severity: 3-Major
Related Article:
K75870356

Symptoms

1. Two peers, one with IKEv2 ike-peer configured and the other with IKEv1 ike-peer configured. 2. Reboot IKEv2 peer. 3. Attempt to initiate tunnel from IKEv2 peer side. Won't work (that's expected). 4. Correct the IKEv2 peer to use IKEv1. 5. Attempt to initiate tunnel from 'new' IKEv1 peer side. Won't work (no policy found is logged). Still cannot initiate tunnel after switching from IKEv2 to IKEv1.

Impact

IPsec does not work. You must reconfigure the two ike-peers from the start, or restart tmipsecd.

Conditions

Changing IKE version from IKEv2 to IKEv1.

Workaround

Configure the IKE peers to use IKEv1 at initial configuration, or restart tmipsecd after changing the configuration from IKEv2 to IKEv1.

Fix Information

IPsec now supports changing the configuration from IKEv1 to IKEv2 after initial configuration setup.

Behavior Change