Problem with SafeNet SafeXcel-1141

  • I installed pfSense 2.0.1 on two WatchGuard x-core (x700 and x1000)
    pfSense seems to have recognized the hardware crypto on board (SafeNet SafeXcel-1141)
    I created a ipsec vpn on seemingly without problems

    I would like to use the hardware crypto in this boxes

    in the first attempt I configured the encryption algorithm for both phase 1 and phase 2 for 3des and SHA1 hashing algorithm. the vpn almost always worked, unfortunately sometimes they go down and to either of the firebox (the x700) hung. only solution forced reboot via physical switch.

    second attempt: AES 254bit in phase 1 and phase 2: the fastest up the vpn, but after a few minutes of use it froze the other firebox (x1000) and vpn down

    third attempt: blowfish in phase 1 and phase 2: everything is OK …. at least so far.

    NB SafeNet SafeXcel-1141 does not support the blowfish algorithm, so I guess that pfSense does not use crypto hardware with the blowfish algorithm.

    I think pfSense 2.0.1 version not interface well with SafeNet SafeXcel-1141.

  • Rebel Alliance Developer Netgate

    We are at the mercy of FreeBSD there. If there is a problem, it's with FreeBSD's drivers for that chip.

    What does the crypto card show up as in the boot log? (/var/log/dmesg.boot)

  • Netgate Administrator

    It appears as thought the SafeXel 1141 should be fully supported by the safe(4) driver and it looks as though it is from the dmesg output on a Firebox X-Core. However, if you read through the X-Core thread, I don't think anyone has ever successfully setup a VPN using it. Indeed from memory some testing showed that, although it appeared to be in use, it didn't have any result on the VPN throughput.  :(


  • What would you recommend the immediate?
    use the Blowfish encryption algorithm, or physically uninstall the Hardware crypto card and then use the encryption algorithm AES?

  • Netgate Administrator

    In fact blowfish appears to be the fastest encryption choice. Don't know how secure it is or how well supported it may be by the other end of your connection.

    Is it not possible to disable encryption offloading?


  • Same issues here.. Threw me off a little as everything worked fine in monowall.
    Decided to install PF on the X1000 and BAM no more ipsec (well it works it just wont pass traffic).

    I did notice that the crypto card is showing active on the dashboard (it was not being used in monowall!)

    So I guess the solution here is to just pop the card out?
    Is there a way to disable it in the webUI or via shell?

  • Netgate Administrator

    I'm sure there must be a way of disabling it within the crypto framework but I'm not sufficiently familiar with it.


  • Rebel Alliance Developer Netgate

Log in to reply