Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FW to FW IPSEC w/hardware AES failing

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 404 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Dyk EvansD
      Dyk Evans
      last edited by Dyk Evans

      I am trying to connect two modern (i5/i7) PFSENSE firewalls with the most current 2.4.3.p1 software (and cpus which do support the AES-NI etc. extensions). One @ one location one at another.

      I have AES256-GCM selected in Phase 1 and AES XCBC

      No matter what form of AES GCM I try, the two machines won't sync. Please note I have tried this several times and on multiple fresh installs.

      Note: about a month ago I had this working with AES GCM on both sides but I had to change around hardware. Ever since I haven't been able to get the two sides to connect.

      From Dashboard:
      Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
      Current: 3200 MHz, Max: 3201 MHz
      4 CPUs: 1 package(s) x 4 core(s)
      AES-NI CPU Crypto: Yes (active)

      Here is the typical IPSEC error log (snipped)

      Jun 27 20:03:17 charon 12[CFG] ike=aes128gcm-aesxcbc-modp4096!
      Jun 27 20:03:17 charon 12[CFG] esp=aes256gcm128-aesxcbc!
      Jun 27 20:03:17 charon 12[CFG] dpddelay=10
      Jun 27 20:03:17 charon 12[CFG] dpdtimeout=60
      Jun 27 20:03:17 charon 12[CFG] dpdaction=3
      Jun 27 20:03:17 charon 12[CFG] sha256_96=no
      Jun 27 20:03:17 charon 12[CFG] mediation=no
      Jun 27 20:03:17 charon 12[CFG] keyexchange=ikev2
      Jun 27 20:03:17 charon 12[CFG] algorithm 'aes128gcm' not recognized
      Jun 27 20:03:17 charon 12[CFG] skipped invalid proposal string: aes128gcm-aesxcbc-modp4096

      Jun 27 20:03:17 charon 09[CFG] received stroke: route 'con1'
      Jun 27 20:03:17 charon 09[CFG] no config named 'con1'
      Jun 27 20:03:17 ipsec_starter 29066 no config named 'con1'
      Jun 27 20:03:25 charon 12[CFG] vici client 5 connected
      Jun 27 20:03:25 charon 09[CFG] vici client 5 registered for: list-sa
      Jun 27 20:03:25 charon 09[CFG] vici client 5 requests: list-sas
      Jun 27 20:03:25 charon 12[CFG] vici client 5 disconnected
      Jun 27 20:03:26 charon 09[CFG] received stroke: terminate 'con1'
      Jun 27 20:03:26 charon 09[CFG] no IKE_SA named 'con1' found
      Jun 27 20:03:26 charon 12[CFG] received stroke: initiate 'con1'
      Jun 27 20:03:26 charon 12[CFG] no config named 'con1'
      Jun 27 20:03:27 charon 12[CFG] vici client 6 connected
      Jun 27 20:03:27 charon 09[CFG] vici client 6 registered for: list-sa
      Jun 27 20:03:27 charon 09[CFG] vici client 6 requests: list-sas
      Jun 27 20:03:27 charon 12[CFG] vici client 6 disconnected

      I have a GIGABIT connection on one end and a 100/100 connection on the other.
      I want to use AES-NI for best speed over the VPN.
      If I switch to BLOWFISH for P1 instead of AES256 GCM, it will connect. So it appears somehow I have introduced an issue where the two sides won't connect even though hardware based AES-NI is active

      Or should I be using OPENVPN site to site??

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.