Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Opened: Mar 01, 2017 Severity: 3-Major Related Article:
K64739924
IPsec over iSession stops working after upgrading from 11.6.0 to 11.6.1 or later.
IPsec over iSession does not work. This occurs because beginning in 11.6.1, the anonymous IKE-peer is disabled by default. This prevents IPsec over iSession from working.
-- IPsec over iSession configured. -- Upgrade from 11.6.0 to 11.6.1 or later.
To work around this issue, you can configure the iSession configuration to use one sided iSession and IPsec to NAT traversal. For more information, refer to the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system Note: The Quick Start : Symmetric Properties of the Configuration utility is considered obsolete due to the lack of support for IKEv2. Using the encapsulation option as outlined in the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide is meant for demonstration purposes using low security defaults. This configuration is not recommended for use in production environments. Important: Configuring IPsec IKEv1 with the anonymous IKE-peer General Properties setting of State 'Enabled', can expose a known security vulnerability. This configuration should only be utilized when testing in a closed lab environment. For more information refer to: K10133477: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
None