4. FW to FW IPSEC w/hardware AES failing

FW to FW IPSEC w/hardware AES failing

  • D

    I am trying to connect two modern (i5/i7) PFSENSE firewalls with the most current 2.4.3.p1 software (and cpus which do support the AES-NI etc. extensions). One @ one location one at another.

    I have AES256-GCM selected in Phase 1 and AES XCBC

    No matter what form of AES GCM I try, the two machines won't sync. Please note I have tried this several times and on multiple fresh installs.

    Note: about a month ago I had this working with AES GCM on both sides but I had to change around hardware. Ever since I haven't been able to get the two sides to connect.

    From Dashboard:
    Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
    Current: 3200 MHz, Max: 3201 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)

    Here is the typical IPSEC error log (snipped)

    Jun 27 20:03:17 charon 12[CFG] ike=aes128gcm-aesxcbc-modp4096!
    Jun 27 20:03:17 charon 12[CFG] esp=aes256gcm128-aesxcbc!
    Jun 27 20:03:17 charon 12[CFG] dpddelay=10
    Jun 27 20:03:17 charon 12[CFG] dpdtimeout=60
    Jun 27 20:03:17 charon 12[CFG] dpdaction=3
    Jun 27 20:03:17 charon 12[CFG] sha256_96=no
    Jun 27 20:03:17 charon 12[CFG] mediation=no
    Jun 27 20:03:17 charon 12[CFG] keyexchange=ikev2
    Jun 27 20:03:17 charon 12[CFG] algorithm 'aes128gcm' not recognized
    Jun 27 20:03:17 charon 12[CFG] skipped invalid proposal string: aes128gcm-aesxcbc-modp4096
    Jun 27 20:03:17 charon 09[CFG] received stroke: route 'con1'
    Jun 27 20:03:17 charon 09[CFG] no config named 'con1'
    Jun 27 20:03:17 ipsec_starter 29066 no config named 'con1'
    Jun 27 20:03:25 charon 12[CFG] vici client 5 connected
    Jun 27 20:03:25 charon 09[CFG] vici client 5 registered for: list-sa
    Jun 27 20:03:25 charon 09[CFG] vici client 5 requests: list-sas
    Jun 27 20:03:25 charon 12[CFG] vici client 5 disconnected
    Jun 27 20:03:26 charon 09[CFG] received stroke: terminate 'con1'
    Jun 27 20:03:26 charon 09[CFG] no IKE_SA named 'con1' found
    Jun 27 20:03:26 charon 12[CFG] received stroke: initiate 'con1'
    Jun 27 20:03:26 charon 12[CFG] no config named 'con1'
    Jun 27 20:03:27 charon 12[CFG] vici client 6 connected
    Jun 27 20:03:27 charon 09[CFG] vici client 6 registered for: list-sa
    Jun 27 20:03:27 charon 09[CFG] vici client 6 requests: list-sas
    Jun 27 20:03:27 charon 12[CFG] vici client 6 disconnected

    I have a GIGABIT connection on one end and a 100/100 connection on the other.
    I want to use AES-NI for best speed over the VPN.
    If I switch to BLOWFISH for P1 instead of AES256 GCM, it will connect. So it appears somehow I have introduced an issue where the two sides won't connect even though hardware based AES-NI is active

    Or should I be using OPENVPN site to site??

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy