Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP WOM
Known Affected Versions:
11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Jan 10, 2017 Severity: 3-Major
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.
Configuration needed for a typical IPsec setup should be made explicitly. isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints. BIG-IP1 GUI: [Local Endpoint] Acceleration->Symmetric Optimization : Local Endpoint->Properties WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress> IP Encapsulation Type: None [Remote Endpoint] Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint... IP Address: <BIG-IP2-local-endpoint-ipaddress> [IKE peer] Network->IPsec : IKE Peers->New IKE Peer... Remote Address: <BIG-IP2-local-endpoint-ipaddress> Version: Version1 Presented ID Value: <BIG-IP1-local-endpoint-ipaddress> Verified ID Value: <BIG-IP2-local-endpoint-ipaddress> [IPsec policy] Network->IPsec : IPsec Policies->New IPsec Policy… Name:<isession_policy_name> Mode: Tunnel Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress> Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress> [Traffic selector] Network ->IPsec : Traffic Selectors ->New Traffic Selector... IPsec Policy Name: <isession_policy_name> Source IP Address: <BIG-IP1-local-endpoint-ipaddress> Destination IP Address: <BIG-IP2-local-endpoint-ipaddress> BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above
None