Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP All, Install/Upgrade
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Fixed In:
16.1.0
Opened: Oct 11, 2019 Severity: 2-Critical
Configuring duplicate net ipsec traffic-selectors with one having interface mode ipsec-policy and another having non-interface mode ipsec-policy is allowed, but results in an error on reloading the config, and may fail during upgrades.
The configuration is allowed, but fails config reload and upgrade, giving the following error: 01070734:3: Configuration error: Duplicate traffic selector is not allowed.
-- Adding a second traffic-selector that has the same values for all these five attributes: - destination-address - destination-port - source-address - source-port - ip-protocol. -- The second traffic-selector ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface'. -- The first traffic-selector has a non-interface ipsec-policy. Example of two duplicate traffic-sectors (trafsel1 and trafsel2): net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar }
Before upgrading: Ensure all pairs of duplicate traffic-selectors have an ipsec-policy configured and that, this ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface', or ensure any one of the five attributes listed above is unique. This can be done in multiple ways: 1. Change the ipsec-policy of the traffic-selector to take an interace mode ipsec-policy: Example: net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar } 2. Change the mode of ipsec-policy (used by any duplicate traffic-selector) to 'interface'. Example: net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } 3. Change any one of the five attributes to be unique, (e.g., source-address): net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.2.2/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-texar 1.1.1.1/32 source-port texar }
Modify the config of duplicate traffic-selectors to have their ipsec-policy set to "interace" mode or make any one of the five attributes noted above unique.