Bug ID 648264: IPsec over iSession stops working after upgrading to 11.6.1 from 11.6.0

Last Modified: Oct 24, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Opened: Mar 01, 2017
Severity: 3-Major
Related AskF5 Article:
K64739924

Symptoms

IPsec over iSession stops working after upgrading from 11.6.0 to 11.6.1 or later.

Impact

IPsec over iSession does not work. This occurs because beginning in 11.6.1, the anonymous IKE-peer is disabled by default. This prevents IPsec over iSession from working.

Conditions

-- IPsec over iSession configured. -- Upgrade from 11.6.0 to 11.6.1 or later.

Workaround

To work around this issue, you can configure the iSession configuration to use one sided iSession and IPsec to NAT traversal. For more information, refer to the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system Note: The Quick Start : Symmetric Properties of the Configuration utility is considered obsolete due to the lack of support for IKEv2. Using the encapsulation option as outlined in the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide is meant for demonstration purposes using low security defaults. This configuration is not recommended for use in production environments. Important: Configuring IPsec IKEv1 with the anonymous IKE-peer General Properties setting of State 'Enabled', can expose a known security vulnerability. This configuration should only be utilized when testing in a closed lab environment. For more information refer to: K10133477: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Fix Information

None

Behavior Change