Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense+ 21.02.2 IPSec / AES-NI issues

    Scheduled Pinned Locked Moved
    IPsec
    2
    2
    297
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wabbitde
      last edited by

      Hi all,

      the release notes of 21.02.2 contain known issues, so the problem is solved, but i wanted to throw some notes out there.

      I have a Netgate XG-7100 which now runs pfSense+ since earlier this year. I have a pfSense CE running 2.4.5 on a cloud appliance. We have an IPSec tunnel between them, which stopped working when i upgraded the XG to the latest version. Traffic went through from XG -> Cloud, but all Cloud -> XG traffic was disappearing. Disabling the hardware crypto solved the issue.

      Because we are a small company without a lab environment to test this first, i have a pfSense running at home on an old CheckPoint device. I used to test upgrades there. So i established an IPSec with the same settings (using the copy button) between it and the XG and that somehow works. My home pfSense is running 2.5.1

      In short 21.02.2 <-> 2.4.5 isn't working, 21.02.2 <-> 2.5.1 is working.

      Couple other things I've noticed while troubleshooting this:

      • the new PRF setting on IPSec isn't available on existing IPSec and only appears in the advanced section on new tunnels

      • in a backup, the PRF of existing tunnels (where it wasn't set) is backed up as MD5 (first of the list). According to the Algo info on the IPsec however the current working PRF is SHA2_512. I would assume that during a restore the MD5 gets wrongly restored

      This is the first time i had real trouble with a patch. It would be nice if there is an UNDO feature to the previous patch level. This is a reason why our Cloud device is on 2.4. The major changes are scary to apply onto a device not supported by anyone and re-installing it from scratch will take days. IBM Cloud has very complex VLAN configurations.

      As i said, problem is solved by disabling hardware crypto, but maybe some improvements can be made in the next patch set around all this. This is a bit more than just a "known issue"

      Rob

      1 Reply Last reply Reply Quote 0
      • N
        NOCling
        last edited by

        Do you try Intel Quick Assist?
        It shouldn't be affected.

        Netgate 6100 & Netgate 2100

        1 Reply Last reply Reply Quote 0
        • First post
          Last post