Bug ID 900933: IPsec interoperability problem with ECP PFS

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Fixed In:
16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5

Opened: Apr 19, 2020

Severity: 3-Major

Symptoms

IPsec tunnels fails to remain established after initially working. On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer. This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Impact

Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Conditions

- IPsec IKEv2 tunnel. - A remote peer that is not another BIG-IP system. - Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Workaround

Do not use ECP for PFS.

Fix Information

The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips