IBM Support

SI43163 - INCORROUT-TCPIP IKEv2 responder not protecting IKE_AUTH w/No

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

INCORROUT-TCPIP IKEv2 responder not protecting IKE_AUTH w/No


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
NONE



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
If 'i' as a responder for IKEv2 detects an error such as
NO_PROPOSAL_CHOSEN or TS_UNACCEPTABLE on IKE_AUTH, it appends
the notify to IKE_AUTH reply, but doesn't protect the message.

CORRECTION FOR APAR SE47452 :
-----------------------------
With PTF, IKE_AUTH is protected.

CIRCUMVENTION FOR APAR SE47452 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


Perform the following after PTF is applied/removed:
endtcpsvr *vpn
strtcpsvr *vpn

********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI41907 :
=================================================

After apply/remove this PTF, perform the following:
endtcpsvr *vpn
strtcpsvr *vpn

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI41473 :
=================================================

After load/remove this PTF, perform the following:
endtcpsvr *vpn
strtcpsvr *vpn

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI39929 :
=================================================

After apply/remove of this PTF, perform the following
endtcpsvr *vpn
strtcpsvr *vpn

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI38988 :
=================================================

After apply/remove of this PTF, perform the following:
endtcpsvr *vpn
strtcpsvr *vpn

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI36896 :
=================================================

After PTF apply/remove, perform the following:
endtcpsvr *vpn
strtcpsvr *vpn


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI41907      TCPIP-INCORROUT IKEv2 cfg addr not freed after Win7 disc
   SI41473      OSP-COMM-TCPIP-OTHER-UNPRED IKE SERVER CRASHES
   SI41203      TCPIP-INCORROUT IKEv2 sending incorrect TS for subnet
   SI39929      TCPIP-INCORROUT memory leak in VPN IKEv2
   SI39929      TCPIP-INCORROUT  handle unknown Notify error in IKE_AUTH
   SI39929      TCPIP-INCORROUT IKEv2 fails if no CERTREQ
   SI39929      TCPIP-INCORROUT  IKE_SA_INIT reply when response set
   SI39243      TCPIP-INCORROUT Flag AES-XCBC-MAC unsupported for IKEv1
   SI38988      TCPIP-INCORROUT  VPN conn still enabled after IKE_SA delete
   SI38560      TCPIP-INCORROUT Ping to Strongswan fails after IKE_SA expire
   SI38560      TCPIP-INCORROUT Preshared key auth fails w/ AES-XCBC-MAC
   SI38476      TCPIP-INCORROUT Connection fails to IKEv2 Linux with AES-XCB
   SI38476      TCPIP-INCORROUT IKEv1 request times out if IKEv2 traffic
   SI38391      TCPIP-INCORROUT IKE_AUTH ICV check fails
   SI36896      OSP-COMM-TCPIP-OTHER-INCORROUT QTOKVPNIKE HIGH CPU
   SI36896      TCPIP-INCORROUT IKEv2 invalid KE payload
   SI36896      OSP-COMM-TCPIP MSGTCP8745 TIMING ISSUES WITH VPN CONNECTIONS
   SI36896      TCPIP-INCORROUT process COOKIE payload
   SI36546      TCPIP-INCORROUT  Ikev2 Second conn start treated as rekey
   SI36546      TCPIP-INCORROUT IKEv2 error notify replies
   SI36546      TCPIP-INCORROUT Narrowed protocol from connection properties

Summary Information

System..............................  i
Models..............................  
Release.............................  V7R1M0
Licensed Program....................  5770SS1
APAR Fixed..........................  View details for APAR SE47452
Superseded by:......................  View fix details for PTF SI80252
Recompile...........................  N
Library.............................  QSYS
MRI Feature ........................  NONE
Cum Level...........................  C2115710


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
17 June 2022