Possible issue with developmental builds of PFSENSE with ike V2 and IPSEC

  • I have been using the development builds of PFSENSE and on builds (in 2 locations) from around ~12/25/19, my once-rock steady firewall to firewall VPN has now started choking out after 24-48 hours.

    I did some experimentation today and it >SEEMS< that the issue is when
    IKE v2
    and encryption using the Intel AES-NI CPU crypto is being used.

    Like I said - prior to around mid december the Dev builds have been rock solid using AES-NI.

    The symptoms of the VPN going south is my ping test (from dos command) starts timing out, like 2 good pings, 1 bad, 1 good, 2 bad, 2 good, etc. If I go look at IPSEC status, it is constantly disconnecting and then attempting to reconnect, (and this goes on and on and on).

    During this time, outside connections through the 2nd (remote firewall) are not interrupted. So it really looks like the issue is in the IPSEC vpn area.

    I don't know what code was changed after mid december 2019, but something buggy might have been introduced to the daily build code.

  • Rebel Alliance Developer Netgate

    Is this on 2.4.5 development builds or 2.5.0 development builds?

    Does the problem persist if you update to a current snapshot?

    Most of us who work on the project run 2.5.0 builds and have IKEv2 IPsec using AES-GCM running 24/7 for our connection back to the company, so it's unlikely there is a general problem there or we would have hit it almost immediately.

  • @jimp
    2.5.x dev builds.

    I am in the exact same scenario - using 2.5.x to be able to run AES-GCM and it was working flawlessly for months and months until I updated around Christmas, and then it choked out 2-3 times since, prompting this post.

    I switched to non-AES-NI on both IKEv2 setups and it is solid for 24hrs plus right now.

    I will update both machines on Friday and re-instate the AES-NI ike v2 and see how it goes.

    box 1:
    built on Fri Jan 03 22:01:28 EST 2020

    box 2:
    built on Fri Jan 03 22:01:28 EST 2020

Log in to reply