Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP All
Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3.4
Opened: Feb 22, 2017 Severity: 3-Major Related Article:
K12068427
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.