<![CDATA[SG-3100 21.02 IKEv2 S2S to SG-1100 21.02]]>After some troubleshoot i got the Tunnel up and running. But there are a Problem.
Data going out on both Sides, but no incoming.

I try a IPsec to any Rule, to eliminate a change in the Ruleset, as an effekt of the Upgrade. But no.

IPSec is the only VPN i use, but after the Upgdate, i run into this error, and now im out of ideeas to troubleshoot.
I use IPv4 with Dyndns and Distinguished name on both Sides.
Remote GW in P1 is the dyndns name of the Peer.

SG-3100 Side:
d461bb36-c58f-4085-9e51-1c2acc9fa949-image.png

SG-1100 Side:
2138cff9-b756-4282-90e2-41050a15ae1a-image.png

SG-3100:

# This file is automatically generated. Do not edit
connections {
        bypass {
                remote_addrs = 127.0.0.1
                children {
                        bypasslan {
                                local_ts = 192.168.10.0/24
                                remote_ts = 192.168.10.0/24
                                mode = pass
                                start_action = trap
                        }
                }
        }
        con-mobile : con-mobile-defaults {
                # Stub to load con-mobile-defaults
        }
        con500000 {
                fragmentation = yes
                unique = replace
                version = 2
                proposals = aes256-sha256-modp2048
                dpd_delay = 10s
                dpd_timeout = 60s
                rekey_time = 25920s
                reauth_time = 0s
                over_time = 2880s
                rand_time = 2880s
                encap = no
                mobike = yes
                local_addrs = WAN-IP
                remote_addrs = xxx.spdns.org
                pools =
                local {
                        id = fqdn:yyy.spdns.org
                        auth = psk
                }
                remote {
                        id = fqdn:xxx.spdns.org
                        auth = psk
                }
                children {
                        con500000 {
                                dpd_action = trap
                                mode = tunnel
                                policies = yes
                                life_time = 3600s
                                rekey_time = 3240s
                                rand_time = 360s
                                start_action = trap
                                remote_ts = 192.168.166.0/21
                                local_ts = 192.168.0.0/18
                                esp_proposals = aes256-sha256-modp2048
                        }
                }
        }
}

SG-1100

# This file is automatically generated. Do not edit
connections {
        bypass {
                remote_addrs = 127.0.0.1
                children {
                        bypasslan {
                                local_ts = 192.168.166.0/24
                                remote_ts = 192.168.166.0/24
                                mode = pass
                                start_action = trap
                        }
                }
        }
        con-mobile : con-mobile-defaults {
                # Stub to load con-mobile-defaults
        }
        con300000 {
                fragmentation = yes
                unique = replace
                version = 2
                proposals = aes256-sha256-modp2048
                dpd_delay = 10s
                dpd_timeout = 60s
                rekey_time = 25920s
                reauth_time = 0s
                over_time = 2880s
                rand_time = 2880s
                encap = no
                mobike = yes
                local_addrs = WAN-IP
                remote_addrs = yyy.spdns.org
                pools =
                local {
                        id = fqdn:xxx.spdns.org
                        auth = psk
                }
                remote {
                        id = fqdn:yyy.spdns.org
                        auth = psk
                }
                children {
                        con300000 {
                                dpd_action = trap
                                mode = tunnel
                                policies = yes
                                life_time = 3600s
                                rekey_time = 3240s
                                rand_time = 360s
                                start_action = trap
                                remote_ts = 192.168.0.0/18
                                local_ts = 192.168.160.0/21
                                esp_proposals = aes256-sha256-modp2048
                        }
                }
        }

Any Ideas?

]]>https://forum.netgate.com/topic/161113/sg-3100-21-02-ikev2-s2s-to-sg-1100-21-02RSS for NodeSat, 18 Apr 2026 13:57:13 GMTFri, 19 Feb 2021 21:57:44 GMT60<![CDATA[Reply to SG-3100 21.02 IKEv2 S2S to SG-1100 21.02 on Fri, 23 Apr 2021 09:24:28 GMT]]>Now I have found following system log messages on my SG-3100:

cesa1: TDMA descriptors pool exhaused. Consider increasing CESA_TDMA_DESCRIPTORS.

Somebody saw something similar?

Could be related to that here:

Bug 226682 - ARMADA38X: Running out of CESA TDMA descriptors for disk I/O on GELI SSD

]]>https://forum.netgate.com/post/979490https://forum.netgate.com/post/979490Fri, 23 Apr 2021 09:24:28 GMT<![CDATA[Reply to SG-3100 21.02 IKEv2 S2S to SG-1100 21.02 on Sat, 17 Apr 2021 10:13:20 GMT]]>Resolved

The SafeXcel Crypto driver was the issue.
After deactivating and Reboot, the SG-1100 works as expected.
At pfsense 21.02 this Driver isn't nessary for the crypto support.

IPsec Performance ist very nice, AES-CBC-256 SHA256 DH14, round about 40% CPU at 50MBit/s.

]]>https://forum.netgate.com/post/978401https://forum.netgate.com/post/978401Sat, 17 Apr 2021 10:13:20 GMT<![CDATA[Reply to SG-3100 21.02 IKEv2 S2S to SG-1100 21.02 on Wed, 14 Apr 2021 20:57:29 GMT]]>Now both Upgraded to 02/21/2 but, AES_CBC don't work.
SG-3100 works fine, but the SG-1100 has a problem with AES_CBC.

Tunnel go up, but no data coming in. If I switch the P1 / P2 from AES_CBC to AES_GCM, data flow is normal, but on SG-3100 no longer hardware crypto offloading.

The tunnel between SG-3100 and a x86 test VM works fine with AES_CBC, therefore I assume that the fault is in the SG-1100. The SafeXcel crypto driver is active, but switching it off, no difference.

Can anyone confirm this behavior?

]]>https://forum.netgate.com/post/977924https://forum.netgate.com/post/977924Wed, 14 Apr 2021 20:57:29 GMT<![CDATA[Reply to SG-3100 21.02 IKEv2 S2S to SG-1100 21.02 on Sat, 20 Feb 2021 23:41:02 GMT]]>Here are one try from Syslog.

charon[38059]: 08[NET] <1477> received packet: from 203.0.113.0[500] to 198.51.100.0[500] (464 bytes)
charon[38059]: 08[ENC] <1477> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon[38059]: 08[CFG] <1477> looking for an IKEv2 config for 198.51.100.0...203.0.113.0
charon[38059]: 08[CFG] <1477>   candidate: 198.51.100.0...0.0.0.0/0, ::/0, prio 1052
charon[38059]: 08[CFG] <1477>   candidate: 198.51.100.0...Dyndns, prio 3100
charon[38059]: 08[CFG] <1477> found matching ike config: 198.51.100.0...Dyndns with prio 3100
charon[38059]: 08[IKE] <1477> 203.0.113.0 is initiating an IKE_SA
charon[38059]: 08[IKE] <1477> IKE_SA (unnamed)[1477] state change: CREATED => CONNECTING
charon[38059]: 08[CFG] <1477> selecting proposal:
charon[38059]: 08[CFG] <1477>   proposal matches
charon[38059]: 08[CFG] <1477> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon[38059]: 08[CFG] <1477> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon[38059]: 08[CFG] <1477> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon[38059]: 08[CFG] <1477> received supported signature hash algorithms: sha256 sha384 sha512 identity
charon[38059]: 08[CFG] <1477> sending supported signature hash algorithms: sha256 sha384 sha512 identity
charon[38059]: 08[IKE] <1477> sending cert request for "CN=Dyndns, C=DE, ST=Place, L=Cloudtown, O=Cloudcorp"
charon[38059]: 08[ENC] <1477> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon[38059]: 08[NET] <1477> sending packet: from 198.51.100.0[500] to 203.0.113.0[500] (497 bytes)
charon[38059]: 08[NET] <1477> received packet: from 203.0.113.0[4500] to 198.51.100.0[4500] (352 bytes)
charon[38059]: 08[ENC] <1477> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
charon[38059]: 08[IKE] <1477> received cert request for unknown ca with keyid 6d:d3:e9:ba:51:59:24:60:34:9e:b3:64:2b:28:98:13:fd:5b:24:c7
charon[38059]: 08[IKE] <1477> received 1 cert requests for an unknown ca
charon[38059]: 08[CFG] <1477> looking for peer configs matching 198.51.100.0[Dyndns]...203.0.113.0[Dyndns]
charon[38059]: 08[CFG] <1477>   candidate "con-mobile", match: 20/1/1052 (me/other/ike)
charon[38059]: 08[CFG] <1477>   candidate "con500000", match: 20/20/3100 (me/other/ike)
charon[38059]: 08[CFG] <con500000|1477> selected peer config 'con500000'
charon[38059]: 08[IKE] <con500000|1477> authentication of 'Dyndns' with pre-shared key successful
charon[38059]: 08[IKE] <con500000|1477> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon[38059]: 08[IKE] <con500000|1477> peer supports MOBIKE
charon[38059]: 08[IKE] <con500000|1477> got additional MOBIKE peer address: 192.168.100.10
charon[38059]: 08[IKE] <con500000|1477> got additional MOBIKE peer address: 192.168.166.1
charon[38059]: 08[IKE] <con500000|1477> authentication of 'Dyndns' (myself) with pre-shared key
charon[38059]: 08[IKE] <con500000|1477> successfully created shared key MAC
charon[38059]: 08[IKE] <con500000|1477> IKE_SA con500000[1477] established between 198.51.100.0[Dyndns]...203.0.113.0[Dyndns]
charon[38059]: 08[IKE] <con500000|1477> IKE_SA con500000[1477] state change: CONNECTING => ESTABLISHED
charon[38059]: 08[IKE] <con500000|1477> scheduling rekeying in 23520s
charon[38059]: 08[IKE] <con500000|1477> maximum IKE_SA lifetime 26400s
charon[38059]: 08[CFG] <con500000|1477> looking for a child config for 192.168.0.0/18|/0 === 192.168.160.0/21|/0
charon[38059]: 08[CFG] <con500000|1477> proposing traffic selectors for us:
charon[38059]: 08[CFG] <con500000|1477>  192.168.0.0/18|/0
charon[38059]: 08[CFG] <con500000|1477> proposing traffic selectors for other:
charon[38059]: 08[CFG] <con500000|1477>  192.168.160.0/21|/0
charon[38059]: 08[CFG] <con500000|1477>   candidate "con500000" with prio 5+5
charon[38059]: 08[CFG] <con500000|1477> found matching child config "con500000" with prio 10
charon[38059]: 08[CFG] <con500000|1477> selecting proposal:
charon[38059]: 08[CFG] <con500000|1477>   proposal matches
charon[38059]: 08[CFG] <con500000|1477> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
charon[38059]: 08[CFG] <con500000|1477> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
charon[38059]: 08[CFG] <con500000|1477> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
charon[38059]: 08[CFG] <con500000|1477> selecting traffic selectors for us:
charon[38059]: 08[CFG] <con500000|1477>  config: 192.168.0.0/18|/0, received: 192.168.0.0/18|/0 => match: 192.168.0.0/18|/0
charon[38059]: 08[CFG] <con500000|1477> selecting traffic selectors for other:
charon[38059]: 08[CFG] <con500000|1477>  config: 192.168.160.0/21|/0, received: 192.168.160.0/21|/0 => match: 192.168.160.0/21|/0
charon[38059]: 08[CHD] <con500000|1477> CHILD_SA con500000{20} state change: CREATED => INSTALLING
charon[38059]: 08[CHD] <con500000|1477>   using AES_CBC for encryption
charon[38059]: 08[CHD] <con500000|1477>   using HMAC_SHA2_256_128 for integrity
charon[38059]: 08[CHD] <con500000|1477> adding inbound ESP SA
charon[38059]: 08[CHD] <con500000|1477>   SPI 0xceb40bab, src 203.0.113.0 dst 198.51.100.0
charon[38059]: 08[CHD] <con500000|1477> adding outbound ESP SA
charon[38059]: 08[CHD] <con500000|1477>   SPI 0xcc34b838, src 198.51.100.0 dst 203.0.113.0
charon[38059]: 08[IKE] <con500000|1477> CHILD_SA con500000{20} established with SPIs ceb40bab_i cc34b838_o and TS 192.168.0.0/18|/0 === 192.168.160.0/21|/0
charon[38059]: 08[CHD] <con500000|1477> CHILD_SA con500000{20} state change: INSTALLING => INSTALLED
charon[38059]: 08[ENC] <con500000|1477> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
charon[38059]: 08[NET] <con500000|1477> sending packet: from 198.51.100.0[4500] to 203.0.113.0[4500] (336 bytes)
charon[38059]: 10[NET] <con500000|1477> received packet: from 203.0.113.0[4500] to 198.51.100.0[4500] (80 bytes)
charon[38059]: 10[ENC] <con500000|1477> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
charon[38059]: 10[IKE] <con500000|1477> received DELETE for IKE_SA con500000[1477]
charon[38059]: 10[IKE] <con500000|1477> deleting IKE_SA con500000[1477] between 198.51.100.0[Dyndns]...203.0.113.0[Dyndns]
charon[38059]: 10[IKE] <con500000|1477> IKE_SA con500000[1477] state change: ESTABLISHED => DELETING
charon[38059]: 10[IKE] <con500000|1477> IKE_SA deleted
charon[38059]: 10[ENC] <con500000|1477> generating INFORMATIONAL response 2 [ ]
charon[38059]: 10[NET] <con500000|1477> sending packet: from 198.51.100.0[4500] to 203.0.113.0[4500] (80 bytes)
charon[38059]: 10[IKE] <con500000|1477> IKE_SA con500000[1477] state change: DELETING => DESTROYING
charon[38059]: 10[CHD] <con500000|1477> CHILD_SA con500000{20} state change: INSTALLED => DESTROYING
]]>https://forum.netgate.com/post/966064https://forum.netgate.com/post/966064Sat, 20 Feb 2021 23:41:02 GMT