Operational Defect Database
BugZero found this defect 1068 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 1020377
Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
Last update date:
5/5/2024
Affected products:
BIG-IP
BIG-IP TMOS
Affected releases:
12.0.0
12.0.0 HF1
12.1.0 HF1
12.0.0 HF2
12.1.0 HF2
12.0.0 HF3
12.0.0 HF4
12.1.1 HF1
12.1.1 HF2
12.1.2 HF1
12.1.2 HF2
12.1.0
Fixed releases:
17.0.0
16.1.2
Description:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500. ... Impact ... The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. ... As a result, tunnel service is interrupted. ... To get the problem to occur, you may need these details: -- an IKEv2 config where traffic selector narrowing happens -- termination of an IKEv2 tunnel with an error condition -- some other BIG-IP service using the same local self IP Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. ... So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packe...
