FW to FW IPSEC w/hardware AES failing
-
I am trying to connect two modern (i5/i7) PFSENSE firewalls with the most current 2.4.3.p1 software (and cpus which do support the AES-NI etc. extensions). One @ one location one at another.
I have AES256-GCM selected in Phase 1 and AES XCBC
No matter what form of AES GCM I try, the two machines won't sync. Please note I have tried this several times and on multiple fresh installs.
Note: about a month ago I had this working with AES GCM on both sides but I had to change around hardware. Ever since I haven't been able to get the two sides to connect.
From Dashboard:
Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Current: 3200 MHz, Max: 3201 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)Here is the typical IPSEC error log (snipped)
Jun 27 20:03:17 charon 12[CFG] ike=aes128gcm-aesxcbc-modp4096!
Jun 27 20:03:17 charon 12[CFG] esp=aes256gcm128-aesxcbc!
Jun 27 20:03:17 charon 12[CFG] dpddelay=10
Jun 27 20:03:17 charon 12[CFG] dpdtimeout=60
Jun 27 20:03:17 charon 12[CFG] dpdaction=3
Jun 27 20:03:17 charon 12[CFG] sha256_96=no
Jun 27 20:03:17 charon 12[CFG] mediation=no
Jun 27 20:03:17 charon 12[CFG] keyexchange=ikev2
Jun 27 20:03:17 charon 12[CFG] algorithm 'aes128gcm' not recognized
Jun 27 20:03:17 charon 12[CFG] skipped invalid proposal string: aes128gcm-aesxcbc-modp4096
Jun 27 20:03:17 charon 09[CFG] received stroke: route 'con1'
Jun 27 20:03:17 charon 09[CFG] no config named 'con1'
Jun 27 20:03:17 ipsec_starter 29066 no config named 'con1'
Jun 27 20:03:25 charon 12[CFG] vici client 5 connected
Jun 27 20:03:25 charon 09[CFG] vici client 5 registered for: list-sa
Jun 27 20:03:25 charon 09[CFG] vici client 5 requests: list-sas
Jun 27 20:03:25 charon 12[CFG] vici client 5 disconnected
Jun 27 20:03:26 charon 09[CFG] received stroke: terminate 'con1'
Jun 27 20:03:26 charon 09[CFG] no IKE_SA named 'con1' found
Jun 27 20:03:26 charon 12[CFG] received stroke: initiate 'con1'
Jun 27 20:03:26 charon 12[CFG] no config named 'con1'
Jun 27 20:03:27 charon 12[CFG] vici client 6 connected
Jun 27 20:03:27 charon 09[CFG] vici client 6 registered for: list-sa
Jun 27 20:03:27 charon 09[CFG] vici client 6 requests: list-sas
Jun 27 20:03:27 charon 12[CFG] vici client 6 disconnectedI have a GIGABIT connection on one end and a 100/100 connection on the other.
I want to use AES-NI for best speed over the VPN.
If I switch to BLOWFISH for P1 instead of AES256 GCM, it will connect. So it appears somehow I have introduced an issue where the two sides won't connect even though hardware based AES-NI is activeOr should I be using OPENVPN site to site??