Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPsec fails with glxsb and AES128

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      georgeman
      last edited by

      Hi!

      I've been trying to configure a mobile IPsec connection with an iPhone client towards an Alix 2D3 running pfSense 2.0.1. I found that enabling the glxsb driver breaks the connectivity while using AES-128 encryption, with this on the IPsec log:

      Nov 29 11:49:00 	racoon: ERROR: pfkey UPDATE failed: Invalid argument
      Nov 29 11:49:00 	racoon: ERROR: pfkey ADD failed: Invalid argument
      

      If I disable glxsb and restart, that error does not show up and everything works fine. If I set the encryption to something other than AES (3DES for example), it also works. Furthermore, a site-to-site VPN tunnel using IPsec AES-128 towards another Alix running pfSense also works!

      Please note that in my case it is failing with AES-128, which is supposed to work (I found several threads where the problem shows up with AES-256).

      Is anyone aware of a reason/fix? The most closely related thread I found is this one, but it does not get very far… Besides, the "invalid argument" error type leads me to think that this might be a simple syntax error on some part of the code...

      I would really like to the get the glxsb acceleration working!

      Thanks a lot, as usual!

      Best regards

      If it ain't broke, you haven't tampered enough with it

      1 Reply Last reply Reply Quote 0
      • G
        georgeman
        last edited by

        Anyone? Considering how popular the Alix platform is, has anybody else experienced this problem? I was able to replicate on another Alix box.

        I don't know if this a pfSense issue, raccoon, FreeBSD driver, etc. Where should I report this?

        Best regards!

        If it ain't broke, you haven't tampered enough with it

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          I haven't seen that with AES-128 before, just 256 (since the glxsb code attaches for all of AES but can only handle 128)  - you're sure both Phase 1 and Phase 2 are set for AES-128 only?

          You might also try a 2.0.2 image.

          http://files.nyi.pfsense.org/jimp/foo/shiny/ehrmagerd/

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • G
            georgeman
            last edited by

            Both phase1 and phase2 are set to AES-128, I deleted and recreated the config multiple times.

            I'll try the 2.0.2 image and report back.

            Thanks!

            If it ain't broke, you haven't tampered enough with it

            1 Reply Last reply Reply Quote 0
            • G
              georgeman
              last edited by

              I updated to 2.0.2 and still have the same problem. I also tried configuring a RSA+auth mobile IPsec with the iPhone, it works fine with glxsb disabled, but fails in the same way when I enable it.

              I confirm it is set to AES128, I even reviewed the racoon.conf file.

              Any other ideas on where to check?

              Thanks again

              If it ain't broke, you haven't tampered enough with it

              1 Reply Last reply Reply Quote 0
              • M
                mircsicz
                last edited by

                Hi hi,

                I'm on 2.0.1Release and I can confirm that the prob is reproduceable…

                Setup a connection with my iPad on iOS 6.0.1 and didn't get traffic trough the VPN. After disabling glxsb and rebooting I can now connect my internal host's and reach the Internet trough the VPN!

                Can you tell if AES256 is gona work with iOS? I'ld love to reenable glxsb for my existing OpenVPN tunnel's...

                Greetz
                Mirco

                1 Reply Last reply Reply Quote 0
                • G
                  georgeman
                  last edited by

                  @mircsicz:

                  Hi hi,

                  I'm on 2.0.1Release and I can confirm that the prob is reproduceable…

                  Setup a connection with my iPad on iOS 6.0.1 and didn't get traffic trough the VPN. After disabling glxsb and rebooting I can now connect my internal host's and reach the Internet trough the VPN!

                  Can you tell if AES256 is gona work with iOS? I'ld love to reenable glxsb for my existing OpenVPN tunnel's...

                  Greetz
                  Mirco

                  Hi! For you does it happen with AES-256 or AES-128? Could you try with AES-128? The point is that the driver is not supposed to work with AES-256, but should with AES-128 (it fails in my case)

                  If you confirm it also happens to you, I'll open a ticket with full debugging logs and so on.

                  Thanks!

                  If it ain't broke, you haven't tampered enough with it

                  1 Reply Last reply Reply Quote 0
                  • M
                    mircsicz
                    last edited by

                    Hi,

                    I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

                    The doc suggest's to use AES128, I'll try AES256 when I'm back in the Office… Hopefully this will work so I can reenable glxsb for OpenVPN!

                    Greetz
                    Mircsicz

                    Edit: did 2 reboot's and both showed that it only work's with glxsb disabled. I'm now on AES256 so it's also proven that iOS support AES256...

                    1 Reply Last reply Reply Quote 0
                    • G
                      georgeman
                      last edited by

                      I created a redmine ticket:

                      http://redmine.pfsense.org/issues/2734

                      Regards!

                      If it ain't broke, you haven't tampered enough with it

                      1 Reply Last reply Reply Quote 0
                      • M
                        mircsicz
                        last edited by

                        Thx…

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.