Bug ID 646890: IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Last Modified: Oct 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3.4

Opened: Feb 22, 2017
Severity: 3-Major
Related AskF5 Article:
K12068427

Symptoms

Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Impact

Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Conditions

If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Workaround

Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix Information

Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.

Behavior Change