Mobile IPsec fails with glxsb and AES128

georgeman

Hi!

I've been trying to configure a mobile IPsec connection with an iPhone client towards an Alix 2D3 running pfSense 2.0.1. I found that enabling the glxsb driver breaks the connectivity while using AES-128 encryption, with this on the IPsec log:

Nov 29 11:49:00 	racoon: ERROR: pfkey UPDATE failed: Invalid argument
Nov 29 11:49:00 	racoon: ERROR: pfkey ADD failed: Invalid argument

If I disable glxsb and restart, that error does not show up and everything works fine. If I set the encryption to something other than AES (3DES for example), it also works. Furthermore, a site-to-site VPN tunnel using IPsec AES-128 towards another Alix running pfSense also works!

Please note that in my case it is failing with AES-128, which is supposed to work (I found several threads where the problem shows up with AES-256).

Is anyone aware of a reason/fix? The most closely related thread I found is this one, but it does not get very far… Besides, the "invalid argument" error type leads me to think that this might be a simple syntax error on some part of the code...

I would really like to the get the glxsb acceleration working!

Thanks a lot, as usual!

Best regards

georgeman

Anyone? Considering how popular the Alix platform is, has anybody else experienced this problem? I was able to replicate on another Alix box.

I don't know if this a pfSense issue, raccoon, FreeBSD driver, etc. Where should I report this?

Best regards!

jimp

I haven't seen that with AES-128 before, just 256 (since the glxsb code attaches for all of AES but can only handle 128)  - you're sure both Phase 1 and Phase 2 are set for AES-128 only?

You might also try a 2.0.2 image.

http://files.nyi.pfsense.org/jimp/foo/shiny/ehrmagerd/

georgeman

Both phase1 and phase2 are set to AES-128, I deleted and recreated the config multiple times.

I'll try the 2.0.2 image and report back.

Thanks!

georgeman

I updated to 2.0.2 and still have the same problem. I also tried configuring a RSA+auth mobile IPsec with the iPhone, it works fine with glxsb disabled, but fails in the same way when I enable it.

I confirm it is set to AES128, I even reviewed the racoon.conf file.

Any other ideas on where to check?

Thanks again

mircsicz

Hi hi,

I'm on 2.0.1Release and I can confirm that the prob is reproduceable…

Setup a connection with my iPad on iOS 6.0.1 and didn't get traffic trough the VPN. After disabling glxsb and rebooting I can now connect my internal host's and reach the Internet trough the VPN!

Can you tell if AES256 is gona work with iOS? I'ld love to reenable glxsb for my existing OpenVPN tunnel's...

Greetz
Mirco

georgeman

@mircsicz:

Hi hi,

I'm on 2.0.1Release and I can confirm that the prob is reproduceable…

Setup a connection with my iPad on iOS 6.0.1 and didn't get traffic trough the VPN. After disabling glxsb and rebooting I can now connect my internal host's and reach the Internet trough the VPN!

Can you tell if AES256 is gona work with iOS? I'ld love to reenable glxsb for my existing OpenVPN tunnel's...

Greetz
Mirco

Hi! For you does it happen with AES-256 or AES-128? Could you try with AES-128? The point is that the driver is not supposed to work with AES-256, but should with AES-128 (it fails in my case)

If you confirm it also happens to you, I'll open a ticket with full debugging logs and so on.

Thanks!

mircsicz

Hi,

I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

The doc suggest's to use AES128, I'll try AES256 when I'm back in the Office… Hopefully this will work so I can reenable glxsb for OpenVPN!

Greetz
Mircsicz

Edit: did 2 reboot's and both showed that it only work's with glxsb disabled. I'm now on AES256 so it's also proven that iOS support AES256...

georgeman

I created a redmine ticket:

http://redmine.pfsense.org/issues/2734

Regards!

mircsicz

Thx…