Bug ID 637979: IPsec over isession not working

Last Modified: Sep 06, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP WOM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 15.0.0, 15.0.1

Opened: Jan 10, 2017
Severity: 3-Major

Symptoms

User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.

Impact

User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.

Conditions

Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.

Workaround

Configuration needed for a typical IPsec setup should be made explicitly. isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints. BIG-IP1 GUI: [Local Endpoint] Acceleration->Symmetric Optimization : Local Endpoint->Properties WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress> IP Encapsulation Type: None [Remote Endpoint] Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint... IP Address: <BIG-IP2-local-endpoint-ipaddress> [IKE peer] Network->IPsec : IKE Peers->New IKE Peer... Remote Address: <BIG-IP2-local-endpoint-ipaddress> Version: Version1 Presented ID Value: <BIG-IP1-local-endpoint-ipaddress> Verified ID Value: <BIG-IP2-local-endpoint-ipaddress> [IPsec policy] Network->IPsec : IPsec Policies->New IPsec Policy… Name:<isession_policy_name> Mode: Tunnel Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress> Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress> [Traffic selector] Network ->IPsec : Traffic Selectors ->New Traffic Selector... IPsec Policy Name: <isession_policy_name> Source IP Address: <BIG-IP1-local-endpoint-ipaddress> Destination IP Address: <BIG-IP2-local-endpoint-ipaddress> BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above

Fix Information

None

Behavior Change