Bug ID 646890: IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:

Opened: Feb 22, 2017

Severity: 3-Major

Related Article: K12068427


Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.


Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.


If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.


Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix Information

Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips