Bug ID 689211: IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Oct 18, 2017

Severity: 4-Minor


If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action. Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.


IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.


Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.


After changing version to v1 alone, issue the following command to have the config work correctly: bigstart restart

Fix Information

Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips