4. FW to FW IPSEC w/hardware AES failing

FW to FW IPSEC w/hardware AES failing

  • D

    I am trying to connect two modern (i5/i7) PFSENSE firewalls with the most current 2.4.3.p1 software (and cpus which do support the AES-NI etc. extensions). One @ one location one at another.

    I have AES256-GCM selected in Phase 1 and AES XCBC

    No matter what form of AES GCM I try, the two machines won't sync. Please note I have tried this several times and on multiple fresh installs.

    Note: about a month ago I had this working with AES GCM on both sides but I had to change around hardware. Ever since I haven't been able to get the two sides to connect.

    From Dashboard:
    Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
    Current: 3200 MHz, Max: 3201 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)

    Here is the typical IPSEC error log (snipped)

    Jun 27 20:03:17 charon 12[CFG] ike=aes128gcm-aesxcbc-modp4096!
    Jun 27 20:03:17 charon 12[CFG] esp=aes256gcm128-aesxcbc!
    Jun 27 20:03:17 charon 12[CFG] dpddelay=10
    Jun 27 20:03:17 charon 12[CFG] dpdtimeout=60
    Jun 27 20:03:17 charon 12[CFG] dpdaction=3
    Jun 27 20:03:17 charon 12[CFG] sha256_96=no
    Jun 27 20:03:17 charon 12[CFG] mediation=no
    Jun 27 20:03:17 charon 12[CFG] keyexchange=ikev2
    Jun 27 20:03:17 charon 12[CFG] algorithm 'aes128gcm' not recognized
    Jun 27 20:03:17 charon 12[CFG] skipped invalid proposal string: aes128gcm-aesxcbc-modp4096
    Jun 27 20:03:17 charon 09[CFG] received stroke: route 'con1'
    Jun 27 20:03:17 charon 09[CFG] no config named 'con1'
    Jun 27 20:03:17 ipsec_starter 29066 no config named 'con1'
    Jun 27 20:03:25 charon 12[CFG] vici client 5 connected
    Jun 27 20:03:25 charon 09[CFG] vici client 5 registered for: list-sa
    Jun 27 20:03:25 charon 09[CFG] vici client 5 requests: list-sas
    Jun 27 20:03:25 charon 12[CFG] vici client 5 disconnected
    Jun 27 20:03:26 charon 09[CFG] received stroke: terminate 'con1'
    Jun 27 20:03:26 charon 09[CFG] no IKE_SA named 'con1' found
    Jun 27 20:03:26 charon 12[CFG] received stroke: initiate 'con1'
    Jun 27 20:03:26 charon 12[CFG] no config named 'con1'
    Jun 27 20:03:27 charon 12[CFG] vici client 6 connected
    Jun 27 20:03:27 charon 09[CFG] vici client 6 registered for: list-sa
    Jun 27 20:03:27 charon 09[CFG] vici client 6 requests: list-sas
    Jun 27 20:03:27 charon 12[CFG] vici client 6 disconnected

    I have a GIGABIT connection on one end and a 100/100 connection on the other.
    I want to use AES-NI for best speed over the VPN.
    If I switch to BLOWFISH for P1 instead of AES256 GCM, it will connect. So it appears somehow I have introduced an issue where the two sides won't connect even though hardware based AES-NI is active

    Or should I be using OPENVPN site to site??

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy