SG-2100 on 21.02.2 can't receive data via IPsec
we exchanged an old system at a customer location with a new SG-2100 and rebuild the config from scratch as to not include old/out of date configs.
We also set up 2 IPsec tunnels that were working on the old device/firmware (2.3.x) without a problem. Now with the SG-2100 on the newest pfSense Plus version, the tunnel comes up, the Phase2 come up but we don't see any traffic incoming.
Today I had a call with the other side's admin and tried several changes to the tunnel setup. Every time it's the exact same: Tunnel P1 and P2 came up, no traffic was received (packet counter and byte counter stay at 0).
As we thought it may be a problem with the other side we tried setting up a test tunnel to our own equipment and to our surprise: the same picture. We get that tunnel phases working and see traffic outbound on our test location side but NO incoming traffic whatsoever on the receiving end.
If I start an "mtr" on my test side's server I can see massive udp traffic on the SG-2100's WAN interface (mvneta0) but no incoming traffic on the IPsec side whatsoever.
That seems like a bug to me?
Any intel on that one?
@jegr You have to try another encryption algorithm. I can't remember exactly which ones don't work, but some do not work with hardware crypto on latest versions that worked fine before. I have had this problem and had to change VPN settings.
An alternative on Intel hardware is to change hardware crypto in Advanced, Miscellaneous from AES-NI to Quick Assist (only available on pfSense+). You can do this if you are unable to change the encryption on the other end of the tunnel, but this is not available on 2100 because it is ARM.
@brians I checked multiple - they didn't work. GCM is not possible on the remote end. And as far as Hashes go I tried SHA1 up to 512 with no results. Only got it working half assed with completely disabling SafeXcel Crypto Driver but even then it seems unstable and more on edge to break then before. Got a phenomenom with dozens of P2 of the same kind being established only the last one was used but the others stayed. Had over 80 P2 entries at one point. There's definitely something really amiss in this release round. Be it CE or Plus it's really flakey ATM.
Me to with my SG-1100.
The only way to get it work, Cryptographic Hardware None.
It affects all AES-CBC and SHA settings, as well SHA512.
I think the Bug is addressed here:
But there is no note auf sha512 problems.
@nocling Currently are doing tests with our demo 2100 and updating to RC of 21.05 to check for that bug hopefully being fixed there.
Nice, i can't wait about your response.
Nice, i can't wait about your response.
Seems to work. Updated to 21.05RC:
- While on 21.02.2 configured: AES-256, SHA-256, DH-14 (not my wish but set up from the other end)
- Worked without SafeXcel
- Enabled SafeXcel and rebooted -> didn't work anymore, no traffic passed/decrypted.
- Updated to 21.05 RC
- Left settings like they were
- System now is responding to pings again
So seems at least that one is probably going to be fixed with 21.05 RC. No warranties though, YMMW.
Yes, that is a known issue and is fixed in 21.05. It's not that linked AES-NI bug though but something safeXcel specific.
It affects anything using safeXcel to accelerate SHA1 or SHA2 hashing functions. So AES-GCM is not affected. Also using MD5 as a hash is not affected, that may be an option if you can't use GCM.
Ok it is a litle bit OT, but looks like also a Crypto probleme to:
May 30 22:57:47 pfSense kernel: cesa0: TDMA descriptors pool exhaused. Consider increasing CESA_TDMA_DESCRIPTORS.
Its my SG-3100 if i run my NAS Backup throu the IPsec IKEv2 tunnel to the SG-1100 Site.
That's a separate problem but it is also fixed in 21.05. Like the issue with SafeXcel it can also be worked around in 21.02 by choosing a cypher that is not accelerated. Though CESA provides a lot more acceleration in the SG-3100.
You can test a 21.05 snap right now or wait for the imminent 21.05 release.
I update both, pfBlockerNG dev holds Unbound down at startup. Next Reboot, all good.
SafeXcel works now very nice, 50MBit Throughput, 45-50% before, 20-22% after.
Looks like a nice version.