Bug ID 685442: racoon daemon for IPsec IKEv1 listens on 0.0.0.0

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Fixed In:
14.0.0

Opened: Sep 26, 2017
Severity: 2-Critical

Symptoms

The racoon daemon binds to all addresses on the Linux host.

Impact

- IPsec tunnels may be established on unexpected IP addresses on the BIG-IP system. - Port scans or security audits may show the IPsec service on unexpected IP addresses.

Conditions

When the IKEv1 racoon daemon processes the config file written by tmipsecd.

Workaround

No workaround.

Fix Information

The auto-generated racoon daemon config file no longer listens to 0.0.0.0 'any' addresses.

Behavior Change

In previous releases, the racoon daemon would bind to all addresses on the Linux host. In this version, The IKEv1 racoon daemon no longer listens on 0.0.0.0.