Bug ID 679135: IKEv1 and IKEv2 cannot share common local address in tunnels

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1

Fixed In:
14.0.0, 13.1.1.2, 12.1.3.6

Opened: Aug 17, 2017

Severity: 4-Minor

Symptoms

When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish. Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Impact

Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Conditions

-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2. -- Try to create competing listeners.

Workaround

Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate. Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix Information

Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips