@konstanti Hi, thanks for coming back to me.

I have an Network Alias with all of my subnets, on both sides, attached to the Alias.

I have Allow All for the alias networks.

@scarrrr
So both p2 seem to be up as well. No idea then, why you can't access the remote site.
Maybe are there different routes for the remote networks?

@viragomann Just wanted to thank you! This was something I had been trying to do as well and solved my problem!

Hi, I didn't solve it even after updating to 23.01-RELEASE (amd64), FreeBSD 14.0-CURRENT. Can someone help me please?
I am additionally attaching the openssl rdrand and devcrypto tests, between which there is no difference, I get the same result without the QAT card on AES-NI.

WITH HARDWARE ACCELERATION (rdrand + devcrypto):

/root: openssl engine (devcrypto) /dev/crypto engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support /root: openssl speed -engine rdrand -evp aes-128-gcm engine "rdrand" set. Doing aes-128-gcm for 3s on 16 size blocks: 109473266 aes-128-gcm's in 3.15s Doing aes-128-gcm for 3s on 64 size blocks: 59620644 aes-128-gcm's in 3.06s Doing aes-128-gcm for 3s on 256 size blocks: 37145965 aes-128-gcm's in 3.05s Doing aes-128-gcm for 3s on 1024 size blocks: 12758891 aes-128-gcm's in 3.07s Doing aes-128-gcm for 3s on 8192 size blocks: 1961291 aes-128-gcm's in 3.06s Doing aes-128-gcm for 3s on 16384 size blocks: 1004601 aes-128-gcm's in 3.09s OpenSSL 1.1.1t-freebsd 7 Feb 2023 built on: reproducible build, date unspecified options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 556330.64k 1245949.78k 3121023.03k 4255301.17k 5246333.35k 5320204.54k /root: openssl speed -engine devcrypto -evp aes-128-gcm engine "devcrypto" set. Doing aes-128-gcm for 3s on 16 size blocks: 109588628 aes-128-gcm's in 3.09s Doing aes-128-gcm for 3s on 64 size blocks: 58764133 aes-128-gcm's in 3.08s Doing aes-128-gcm for 3s on 256 size blocks: 36989212 aes-128-gcm's in 3.08s Doing aes-128-gcm for 3s on 1024 size blocks: 12517930 aes-128-gcm's in 3.03s Doing aes-128-gcm for 3s on 8192 size blocks: 1892616 aes-128-gcm's in 3.01s Doing aes-128-gcm for 3s on 16384 size blocks: 962895 aes-128-gcm's in 3.02s OpenSSL 1.1.1t-freebsd 7 Feb 2023 built on: reproducible build, date unspecified options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 566761.39k 1221816.69k 3076300.76k 4228737.43k 5154679.78k 5217925.52k

NO HARDWARE ACCELERATION:

/root: openssl engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support /root: openssl speed -engine rdrand -evp aes-128-gcm engine "rdrand" set. Doing aes-128-gcm for 3s on 16 size blocks: 102136466 aes-128-gcm's in 3.01s Doing aes-128-gcm for 3s on 64 size blocks: 60435126 aes-128-gcm's in 3.16s Doing aes-128-gcm for 3s on 256 size blocks: 36288986 aes-128-gcm's in 3.04s Doing aes-128-gcm for 3s on 1024 size blocks: 12394560 aes-128-gcm's in 3.03s Doing aes-128-gcm for 3s on 8192 size blocks: 1920849 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 16384 size blocks: 1021912 aes-128-gcm's in 3.18s OpenSSL 1.1.1t-freebsd 7 Feb 2023 built on: reproducible build, date unspecified options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 543312.94k 1225456.81k 3056857.31k 4187061.26k 5245198.34k 5265613.75k /root: openssl speed -engine devcrypto -evp aes-128-gcm invalid engine "devcrypto"

@nogbadthebad Thanks for sharing that config.
I will make some experiments with the settings.
Currently I am trying to catch the error on the console. Still no success. Still no more sudden reboots.

@dalicollins Sad but true!

There is nothing quite like a tongue lashing from one of the Gurus.

Ted Quade

@renegade said in IPSec Issue After 23.01 Upgrade:

I have an ios device with ipsec to my 4100.
After activation the tunnel works fine.
When the iphone gets in standby (no user interaction) the 4100 reboots without any error message or crash dump :-(

That wouldn't be related to this thread, so you should start a new one just for that. And there would have to be either an error message or a crash dump somewhere, even if it's only printed to the serial console. You should attach a serial console client and log all the output while you try to make the crash happen again.

I was finally able to solve this by:

Setting my Local Network as my actual local network rather than the Virtual IP in the Ph2 config. Then, I set the NAT/BINAT translation option to what the required source IP must be for the IPsec tunnel. Didn't even need Virtual IP or NAT rules for any of it 🥴

@viragomann thank's again! I will try it asap and come back with the results!

Turns out my issue was within phase 2 on the tunnel. I mistakenly unchecked "SHA384". Smh...... Just wanted to share.

hi @efriedman ，thank you for your advice. I will try to switch to WireGuard.