IPSec tunnel problems after pfSense 2.2.3 upgrade
-
I've left the hash as SHA1 in all trials… I had success with 3DES for quick mode, left main mode as AES:
On the pfSense side, I only changed the enc for phase 2 from aes to 3des, everything else the same.
Similarly on OpenBSD, just a single quick mode change from aes to 3des
Doesn't work with 2.2.3
ike dynamic esp from 192.168.87.0/24 to { 172.29.200.0/24, 192.168.77.0/24 } peer 2.2.2.80
main auth hmac-sha1 enc aes group modp1024 lifetime 28800
quick auth hmac-sha1 enc aes group modp1024 lifetime 3600
srcid 1.1.1.251 dstid 2.2.2.80 psk xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWorks with 2.2.3
ike dynamic esp from 192.168.87.0/24 to { 172.29.200.0/24, 192.168.77.0/24 } peer 2.2.2.80
main auth hmac-sha1 enc aes group modp1024 lifetime 28800
quick auth hmac-sha1 enc 3des group modp1024 lifetime 3600
srcid 1.1.1.251 dstid 2.2.2.80 psk xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -
The issue here is the encryption type set on the Phase2 only. If anyone is seeing something different please say so.
The cause seems to be the AES-NI module that is trying to decrypt traffic that it can't so an alternative solution is to disable the AES-NI module if you must use AES-CBC for example.Is anybody here NOT using the AES-NI module/AES-NI capable hardware?
Steve
-
I tried a fresh CD install of 2.2.3 on the remote host but still no luck. My phase 1 fails using RSA certs. So my problem may be useful aid to diagnosis as it shows:-
1. I cannot establish Phase 1
2. I am using 3DES SHA1 for P1 and P2
3. My logs for 2.2.3 show the key exchange AUTHENTICATION_FAILEDWhat makes my case different? I am using hardware crypto at each end.
Jun 26 18:47:53 charon: 06[IKE] <con1|2> received AUTHENTICATION_FAILED notify error Jun 26 18:47:53 charon: 06[IKE] <con1|2> received AUTHENTICATION_FAILED notify error Jun 26 18:47:53 charon: 06[ENC] <con1|2> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jun 26 18:47:53 charon: 06[NET] <con1|2> received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (68 bytes) Jun 26 18:47:52 charon: 06[NET] <con1|2> sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (512 bytes) Jun 26 18:47:52 charon: 06[NET] <con1|2> sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (544 bytes) Jun 26 18:47:52 charon: 06[NET] <con1|2> sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (544 bytes) Jun 26 18:47:52 charon: 06[NET] <con1|2> sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (544 bytes) Jun 26 18:47:52 charon: 06[ENC] <con1|2> generating IKE_AUTH request 1 [ EF(4/4) ] Jun 26 18:47:52 charon: 06[ENC] <con1|2> generating IKE_AUTH request 1 [ EF(3/4) ] Jun 26 18:47:52 charon: 06[ENC] <con1|2> generating IKE_AUTH request 1 [ EF(2/4) ] Jun 26 18:47:52 charon: 06[ENC] <con1|2> generating IKE_AUTH request 1 [ EF(1/4) ] Jun 26 18:47:52 charon: 06[ENC] <con1|2> splitting IKE message with length of 1972 bytes into 4 fragments Jun 26 18:47:52 charon: 06[ENC] <con1|2> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] Jun 26 18:47:52 charon: 06[IKE] <con1|2> establishing CHILD_SA con1 Jun 26 18:47:52 charon: 06[IKE] <con1|2> establishing CHILD_SA con1 Jun 26 18:47:52 charon: 06[IKE] <con1|2> sending end entity cert "C=GB, ...</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2> -
The issue here is the encryption type set on the Phase2 only. If anyone is seeing something different please say so.
The cause seems to be the AES-NI module that is trying to decrypt traffic that it can't so an alternative solution is to disable the AES-NI module if you must use AES-CBC for example.Is anybody here NOT using the AES-NI module/AES-NI capable hardware?
Steve
Can confirm, disabled AES-NI on the 2.2.3 device and now the tunnels work in the original configuration. Does that leave room for hope that a fix won't be too tough, since 2.2.2 still works fine with the AES-NI component enabled? It's just the kernel module loaded for the hardware aes?
-
I can confirm that everything is working after switching across to 3DES for phase 2 (algorithm SHA1)
I did not have the AES-NI module enabled on my box at any point.
Thanks guys - Hopefully we'll see a fix for AES fairly soon :)
Chris
-
https://redmine.pfsense.org/issues/4791
might be "fixed"in the snapshots dating after renato's comments
-
Still does not work for me, even if not using AES encryption
Here is my setup:
- On PFSense 2.2.3:
- On cisco RV042:
And the results are
on PFSense:
on RV042:
Now the logs show incomplete ISAKMP SA on the RV042
and conn unrouted on PFSense
Of course, no machine on the remote VPN side can be reached.
I don't really think it's a AES issue here, since I'm not using it…. or am I doing something wrong ???
Everything was fine on PFSense 2.2.2Thanks for any suggestion
-
That looks like an identifier mismatch, nothing to do with this bug.
The Linksys is complainiung about the identifier sent by pfSense being an FQDN not an IP.Steve
-
Thanks a lot Stephen.
You're a life savior.
One quick question, regarding something I don't understand
My identifier: My IP Address (does it take the WAN IP Address here) ?
Peer identifier: Peer IP Address (does it take the IP/host name of remote gateway ?)Thanks a lot.
-
You can use IP addresses for your identifiers but they are not much use unless the WAN IP addresses at each end are both static. The IP address identifier is just for IP addresses not hostnames.
If you have one or more WAN interfaces with dynamic IP addresses you should use an identifier that doesn't change.
If you have a resolvable hostname for your pfSense host and another for your Linksys host you could use the Distinguished Name type like in this example:-
On pfSense
My Identifier: Distinguished Name: pfsense.mydynamic.dns
Peer Identifier: Distinguished Name: linksys.mydynamic.dnsOn Linksys
My Identifier: Distinguished Name: linksys.mydynamic.dns
Peer Identifier: Distinguished Name: pfsense.mydynamic.dns -
Am I the only one on this thread that was using RSA Certificate authentication on 2.2.2?
-
Hi,
I have had some contact with pfSense Support and they have narrowed down the problem.
-quote-
Expect 2.2.4 out soon!
For now, simply disable AES-NI from System > Advanced, Misc, set Crypto Acceleration to None, and then reboot.
-end-of-quote-I can confirm that this workaround is working for me!
Kind regards,
Rene. -
@RMB:
I can confirm that this workaround is working for me!
Are you using Pre Shared Keys or RSA Certificates for authentication?
-
I am using Preshared Keys.
-
Thanks. Using PSK works for me too, but I would rather use certs instead.
I don't think that the AES patch rollback will make any difference to the issue I am experiencing which is a failure to establish a P1 with RSA Certs and 3DES.
I suspect that I could be the only one using RSA Certs with site-to-site IPsec VPN on pfSense as more people would have spotted this.
I really wish 2.2.3 was just a GUI XSS fix. -
I suspect that I could be the only one using RSA Certs with site-to-site IPsec VPN on pfSense as more people would have spotted this.
I really wish 2.2.3 was just a GUI XSS fix.Mutual RSA works here with 2.2.3 on pfS -> pfS (2.2.3)
-
Obviously we haven't tested with whatever hardware crypto cards you are using but the base FreeBSD hasn't changed so I wouldn't have expected them to fail.
Does it work if you choose not to use the hardware encryption?Steve
-
Mutual RSA works here with 2.2.3 on pfS -> pfS (2.2.3)
Excellent!
Can you tell me if you are using IP:value references in your certs or DNS:value references?I am using DNS:value references because one end of the VPN is on a dynamic IP with dynamic DNS. It works on 2.2.2 perhaps StrongSwan 5.3.2 is looking for something in my certs that 5.3.0 doesn't need. I'm thinking this has something to do with reqid.
-
Does it work if you choose not to use the hardware encryption?
I will try building two test boxes without crypto cards next week.
OpenSSL version hasn't changed so I'm fairly confident this isn't the problem. -
OpenSSL version hasn't changed so I'm fairly confident this isn't the problem.
That cannot be automatically assumed because of:
FreeBSD patches OpenSSL without changing the version number.
https://forum.pfsense.org/index.php?topic=91461.msg532876#msg532876
