Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG1100 HW Crypto/ IPSEC Issue on 21.02

    Scheduled Pinned Locked Moved Hardware
    6 Posts 2 Posters 444 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      petrpastor
      last edited by

      I have foud issue with HW acceleration on SG1100 after upgrade from 2.4.5 to 21.02 version.
      In previous version there was no driver for hw crypto acceleration ( I had it turned on in advanced) so it was inactive. After upgrade the driver is present and HW cryptoacclerator was active Yesterday I tested everything from home all openVPN tunnels worked fine. But in the morning I found the remote workwer's phone which uses IPSEC/IKE openned tunnel but there was no trafic on IPSEC util I turned off HW crypto acceleration. after turning the feature off the trafic was no longer affected on IPSEC tunnel.

      Petr

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        So the SG-1100 was at the remote workers location?

        It was working initially after the upgrade but failed later/

        What ciphers are you using there?

        Steve

        1 Reply Last reply Reply Quote 0
        • P
          petrpastor
          last edited by

          Hi,
          No setup is simple. I have SG 1100 as the gateway to network physicaly separated from corporate stuff.
          The gateway serves two networks one with xcp-ng virtualization server (realy simple pc) running CCTV , digital signahe and few test OSes. The other Vlan is connected to LAN port on Avaya PBX and remote worker has Avaya VPN phone which can run only IPsec. So every morning when Or remote worker powes up the phone it opens IPSEC connection to SG1100 and gets passed to PBX VLan.
          I have a few Open Vpn setups one to access virtual machines from remote location and one I have tested my home SIP Yealink phone to connect to our PBX. The Open VPN I tested runs just fine with HW crypto acceleration enabled and from pure feeling It seems it runs much faster now. Only IPSEC tunnel has problem with no trafic running ( the negotiation on both Phase1 and pase 2 are succesfull) on it. When I turned the HW crypto acclerarion off Traffic on IPSEC resumes to normal.

          Petr

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Mmm, interesting OK. What encryption ciphers is the IPSec tunnel configured to use?

            Or the OpenVPN tunnels for that matter? Though OpenVPN would not be using it unless you have crypto framwork loaded.

            Steve

            1 Reply Last reply Reply Quote 0
            • P
              petrpastor
              last edited by

              Here is the screenshot of the Tunnel setup:

              bac46b64-e3da-4972-88bc-ff777842403e-image.png

              This was the only setup that worked wit Avaya VPN phone ( and it was quite pain to find out).

              Anyway It works Without HW acceleration. And the settup will be hopefully replaced soon when company switches to VoIp group-wise. Than the deplyment of the remote workers will be much simpler and I can remove this remote worker setup and lat somebody else be responsible for it.

              Petr

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Hmm, interesting. SafeXcel doesn't do 3DES but it might be used for everything else there.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.