Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.4.3 iOS Client Fails on AES-NI Active, but Works with AES Off

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 443 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stevemac00
      last edited by

      I started this post https://forum.pfsense.org/index.php?topic=146696.0
      but changed to new post because I've narrowed down what appears to be a significant observation.

      History:
      I've had AES-NI CPU Crypto: Yes (active) and never had a problem with IPsec clients.
      I updated pfSense to 2.4.3-RELEASE and FreeBSD 11.1-RELEASE-p7
      I started having VPN connection problems from iOS (but MacOS was fine). See post https://forum.pfsense.org/index.php?topic=146696.0

      Today I set System->Advanced->Misc->Cryptographic Hardware = None and rebooted.
      Now every device connects to VPN again!

      Additional Information:
      As mentioned, the MacOS clients always connected and the iOS clients would randomly connect (but not often).
      The iOS clients would authenticate then (from log) "reinitiating already active tasks" and run the "XAUTH task" again which caused the client to disconnect. (See other post above for logs.)
      I tried the patch fad13c4142bba5c24e2a1d4739d46a5ff9c7ed19 but it didn't make any obvious difference.

      1 Reply Last reply Reply Quote 0
      • S
        stevemac00
        last edited by

        Switched to IKEv2, set AES-NI CPU Crypto: Yes (active) and all is good.
        Encryption: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.