FW to FW IPSEC w/hardware AES failing



  • I am trying to connect two modern (i5/i7) PFSENSE firewalls with the most current 2.4.3.p1 software (and cpus which do support the AES-NI etc. extensions). One @ one location one at another.

    I have AES256-GCM selected in Phase 1 and AES XCBC

    No matter what form of AES GCM I try, the two machines won't sync. Please note I have tried this several times and on multiple fresh installs.

    Note: about a month ago I had this working with AES GCM on both sides but I had to change around hardware. Ever since I haven't been able to get the two sides to connect.

    From Dashboard:
    Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
    Current: 3200 MHz, Max: 3201 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)

    Here is the typical IPSEC error log (snipped)

    Jun 27 20:03:17 charon 12[CFG] ike=aes128gcm-aesxcbc-modp4096!
    Jun 27 20:03:17 charon 12[CFG] esp=aes256gcm128-aesxcbc!
    Jun 27 20:03:17 charon 12[CFG] dpddelay=10
    Jun 27 20:03:17 charon 12[CFG] dpdtimeout=60
    Jun 27 20:03:17 charon 12[CFG] dpdaction=3
    Jun 27 20:03:17 charon 12[CFG] sha256_96=no
    Jun 27 20:03:17 charon 12[CFG] mediation=no
    Jun 27 20:03:17 charon 12[CFG] keyexchange=ikev2
    Jun 27 20:03:17 charon 12[CFG] algorithm 'aes128gcm' not recognized
    Jun 27 20:03:17 charon 12[CFG] skipped invalid proposal string: aes128gcm-aesxcbc-modp4096

    Jun 27 20:03:17 charon 09[CFG] received stroke: route 'con1'
    Jun 27 20:03:17 charon 09[CFG] no config named 'con1'
    Jun 27 20:03:17 ipsec_starter 29066 no config named 'con1'
    Jun 27 20:03:25 charon 12[CFG] vici client 5 connected
    Jun 27 20:03:25 charon 09[CFG] vici client 5 registered for: list-sa
    Jun 27 20:03:25 charon 09[CFG] vici client 5 requests: list-sas
    Jun 27 20:03:25 charon 12[CFG] vici client 5 disconnected
    Jun 27 20:03:26 charon 09[CFG] received stroke: terminate 'con1'
    Jun 27 20:03:26 charon 09[CFG] no IKE_SA named 'con1' found
    Jun 27 20:03:26 charon 12[CFG] received stroke: initiate 'con1'
    Jun 27 20:03:26 charon 12[CFG] no config named 'con1'
    Jun 27 20:03:27 charon 12[CFG] vici client 6 connected
    Jun 27 20:03:27 charon 09[CFG] vici client 6 registered for: list-sa
    Jun 27 20:03:27 charon 09[CFG] vici client 6 requests: list-sas
    Jun 27 20:03:27 charon 12[CFG] vici client 6 disconnected

    I have a GIGABIT connection on one end and a 100/100 connection on the other.
    I want to use AES-NI for best speed over the VPN.
    If I switch to BLOWFISH for P1 instead of AES256 GCM, it will connect. So it appears somehow I have introduced an issue where the two sides won't connect even though hardware based AES-NI is active

    Or should I be using OPENVPN site to site??


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy