SG1100 HW Crypto/ IPSEC Issue on 21.02
-
I have foud issue with HW acceleration on SG1100 after upgrade from 2.4.5 to 21.02 version.
In previous version there was no driver for hw crypto acceleration ( I had it turned on in advanced) so it was inactive. After upgrade the driver is present and HW cryptoacclerator was active Yesterday I tested everything from home all openVPN tunnels worked fine. But in the morning I found the remote workwer's phone which uses IPSEC/IKE openned tunnel but there was no trafic on IPSEC util I turned off HW crypto acceleration. after turning the feature off the trafic was no longer affected on IPSEC tunnel.Petr
-
So the SG-1100 was at the remote workers location?
It was working initially after the upgrade but failed later/
What ciphers are you using there?
Steve
-
Hi,
No setup is simple. I have SG 1100 as the gateway to network physicaly separated from corporate stuff.
The gateway serves two networks one with xcp-ng virtualization server (realy simple pc) running CCTV , digital signahe and few test OSes. The other Vlan is connected to LAN port on Avaya PBX and remote worker has Avaya VPN phone which can run only IPsec. So every morning when Or remote worker powes up the phone it opens IPSEC connection to SG1100 and gets passed to PBX VLan.
I have a few Open Vpn setups one to access virtual machines from remote location and one I have tested my home SIP Yealink phone to connect to our PBX. The Open VPN I tested runs just fine with HW crypto acceleration enabled and from pure feeling It seems it runs much faster now. Only IPSEC tunnel has problem with no trafic running ( the negotiation on both Phase1 and pase 2 are succesfull) on it. When I turned the HW crypto acclerarion off Traffic on IPSEC resumes to normal.Petr
-
Mmm, interesting OK. What encryption ciphers is the IPSec tunnel configured to use?
Or the OpenVPN tunnels for that matter? Though OpenVPN would not be using it unless you have crypto framwork loaded.
Steve
-
Here is the screenshot of the Tunnel setup:
This was the only setup that worked wit Avaya VPN phone ( and it was quite pain to find out).
Anyway It works Without HW acceleration. And the settup will be hopefully replaced soon when company switches to VoIp group-wise. Than the deplyment of the remote workers will be much simpler and I can remove this remote worker setup and lat somebody else be responsible for it.
Petr
-
Hmm, interesting. SafeXcel doesn't do 3DES but it might be used for everything else there.