Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible issue with developmental builds of PFSENSE with ike V2 and IPSEC

    Scheduled Pinned Locked Moved
    Development
    2
    3
    344
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Dyk EvansD
      Dyk Evans
      last edited by Dyk Evans

      I have been using the development builds of PFSENSE and on builds (in 2 locations) from around ~12/25/19, my once-rock steady firewall to firewall VPN has now started choking out after 24-48 hours.

      I did some experimentation today and it >SEEMS< that the issue is when
      IKE v2
      and encryption using the Intel AES-NI CPU crypto is being used.

      Like I said - prior to around mid december the Dev builds have been rock solid using AES-NI.

      The symptoms of the VPN going south is my ping test (from dos command) starts timing out, like 2 good pings, 1 bad, 1 good, 2 bad, 2 good, etc. If I go look at IPSEC status, it is constantly disconnecting and then attempting to reconnect, (and this goes on and on and on).

      During this time, outside connections through the 2nd (remote firewall) are not interrupted. So it really looks like the issue is in the IPSEC vpn area.

      I don't know what code was changed after mid december 2019, but something buggy might have been introduced to the daily build code.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Is this on 2.4.5 development builds or 2.5.0 development builds?

        Does the problem persist if you update to a current snapshot?

        Most of us who work on the project run 2.5.0 builds and have IKEv2 IPsec using AES-GCM running 24/7 for our connection back to the company, so it's unlikely there is a general problem there or we would have hit it almost immediately.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        Dyk EvansD 1 Reply Last reply Reply Quote 0
        • Dyk EvansD
          Dyk Evans @jimp
          last edited by

          @jimp
          2.5.x dev builds.

          I am in the exact same scenario - using 2.5.x to be able to run AES-GCM and it was working flawlessly for months and months until I updated around Christmas, and then it choked out 2-3 times since, prompting this post.

          I switched to non-AES-NI on both IKEv2 setups and it is solid for 24hrs plus right now.

          I will update both machines on Friday and re-instate the AES-NI ike v2 and see how it goes.

          box 1:
          2.5.0-DEVELOPMENT(amd64)
          built on Fri Jan 03 22:01:28 EST 2020

          box 2:
          2.5.0-DEVELOPMENT(amd64)
          built on Fri Jan 03 22:01:28 EST 2020

          1 Reply Last reply Reply Quote 0
          • First post
            Last post