pfSense+ 21.02.2 IPSec / AES-NI issues
the release notes of 21.02.2 contain known issues, so the problem is solved, but i wanted to throw some notes out there.
I have a Netgate XG-7100 which now runs pfSense+ since earlier this year. I have a pfSense CE running 2.4.5 on a cloud appliance. We have an IPSec tunnel between them, which stopped working when i upgraded the XG to the latest version. Traffic went through from XG -> Cloud, but all Cloud -> XG traffic was disappearing. Disabling the hardware crypto solved the issue.
Because we are a small company without a lab environment to test this first, i have a pfSense running at home on an old CheckPoint device. I used to test upgrades there. So i established an IPSec with the same settings (using the copy button) between it and the XG and that somehow works. My home pfSense is running 2.5.1
In short 21.02.2 <-> 2.4.5 isn't working, 21.02.2 <-> 2.5.1 is working.
Couple other things I've noticed while troubleshooting this:
the new PRF setting on IPSec isn't available on existing IPSec and only appears in the advanced section on new tunnels
in a backup, the PRF of existing tunnels (where it wasn't set) is backed up as MD5 (first of the list). According to the Algo info on the IPsec however the current working PRF is SHA2_512. I would assume that during a restore the MD5 gets wrongly restored
This is the first time i had real trouble with a patch. It would be nice if there is an UNDO feature to the previous patch level. This is a reason why our Cloud device is on 2.4. The major changes are scary to apply onto a device not supported by anyone and re-installing it from scratch will take days. IBM Cloud has very complex VLAN configurations.
As i said, problem is solved by disabling hardware crypto, but maybe some improvements can be made in the next patch set around all this. This is a bit more than just a "known issue"
Do you try Intel Quick Assist?
It shouldn't be affected.