[Solved] IPSec 2.2.2 -> 2.2.3 Connected but no traffic
-
I upgraded 3 of my boxes to 2.2.3 and now my S2S tunnels doesn't allow traffic (in any direction)
B -> A <-C
Mobile VPN still working. (Edit: - that was because on box C, where I tested Mobile VPN aes-ni is disabled)
RSA / AES256 / SHA256 / DH5
3 P2 entries (tried it with only 1 - same issue)Anyone else with same issue?, I currently don't have time for further testing.
Edit:
As a workaround I deactivated AESNI as suggested in https://redmine.pfsense.org/issues/4791
-
Yes, I think I have exactly the same issue;
https://forum.pfsense.org/index.php?topic=95633.0
The tunnels are there but no traffic is passing thru…
-
Hi,
Having the same issue too. VPN up (to Amazon), but no traffic flowing.
-=david=-
-
Yup, I can confirm that too.
-
Exactly the same behavior here.
-
Yep. Happening to mine as well. Hopefully a quick fix is on the way.
-
Not to pile on, but I can also confirm this. IPsec doesn't work at all in 2.2.3
-
Hi,
Bug created for further investigation.
https://redmine.pfsense.org/issues/4791
-=david=-
-
Yep. Seems the temporary fix is disable the AES-NI in PfSense and reboot. I will try this tonight when I get home. Devs identified the patch and will roll it back to the previous version in the 2.2.4 snapshot.
-
I am happy to report by disabling AES-NI in PfSense and a reboot fixes the IPSec issue. Great work finding a quick fix. The next update will have this issue resolved. For now we're happy campers.
-
I am happy to report by disabling AES-NI in PfSense and a reboot fixes the IPSec issue.
That's great news.
Are you using Pre Shared Keys or RSA Certificates for authentication?
-
I am using pre-shared keys.
-
Worked for us too, on all 16 firewalls we have running. Most of them are 4860's or C2758's from PFSENSE so 2.2.4 will be nice to have pushed ASAP, hard to explain stuff like this to customers.
-
Hi all ,
same issue spotted here. rolled back to 2.2.2 and waiting for 2.2.4One world of advice, or maybe more correct user request:
When you are fixing AES-NI library, could you also fix it so its works under hyper-visor .
last we discuss this on this forum, the dev statement was that you are using your own lib based on original BSD one.regards Zanon.
-
Same issue here.
Disabling AES-NI and rebooting seemed to fix it. Thanks to whoever discovered the issue.
-
I just disabled AES-NI and rebooted and it works for me as well. We have dual redundant firewalls as they are production, so I will wait to update the second one entirely until 2.2.4 is ready. I hope that is soon; disabling AES-NI seems to have a performance impact on our OpenVPN tunnel performance, as I suppose one should expect with AES-CBC. :P