Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel problems after pfSense 2.2.3 upgrade

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    64 Posts 17 Posters 28.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauirixxx
      last edited by

      I know this thread is over 2+ weeks old but ….

      @Work tonight I upgraded pfSense to 2.2.3 with the AES-N1 option enabled.
      @Home when 2.2.3 was released, I upgraded right away, and had the AES-N1 option enabled.

      After the upgrade at work tonight, I had the same symptoms - endpoints would connect like they should, but 0 traffic passed between them. After I disabled the AES-N1 acceleration @work and rebooted, all is well and acting like it should again.

      So I have 1 endpoint with it enabled, and 1 without, and traffic flows. I haven't tried re-enabling it because stuff works now.

      Next test would be to disable it @home, and enable it @work, and see if it still works as it should. Or should I just leave well enough alone?

      –mauirixxx

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It's fixed in 2.2.4 snapshots. Perhaps the CPU at the home end is not actually supporting AES-NI as it reports?
        If the module actually loads at boot (check the boot logs) then I would exepct it to break IPSec if AES is used.

        Steve

        1 Reply Last reply Reply Quote 0
        • T
          TheWaterbug
          last edited by

          @vbentley:

          You can use IP addresses for your identifiers but they are not much use unless the WAN IP addresses at each end are both static. The IP address identifier is just for IP addresses not hostnames.

          If you have one or more WAN interfaces with dynamic IP addresses you should use an identifier that doesn't change.

          If you have a resolvable hostname for your pfSense host and another for your Linksys host you could use the Distinguished Name type like in this example:-

          On pfSense
          My Identifier: Distinguished Name: pfsense.mydynamic.dns
          Peer Identifier: Distinguished Name: linksys.mydynamic.dns

          On Linksys
          My Identifier: Distinguished Name: linksys.mydynamic.dns
          Peer Identifier: Distinguished Name: pfsense.mydynamic.dns

          Thanks! I'd had Peer Identifier entered as IP Address, and it wasn't working under 2.2.3, though I'm pretty sure it had worked previously under some earlier version.

          Once I used Distinguished Name it started working again.

          1 Reply Last reply Reply Quote 0
          • G
            gteley
            last edited by

            All well and nice but I have several pfSense boxes at several client locations and all work except one.
            I've checked and double checked each and every setting, deleted it and recreated it, but it still keeps saying 'Gateway authentication error' and 'invalid ID_V1 payload length, decryption failed?' after the upgrade to 2.2.4 (I skipped 2.2.3)
            To be precise, I copied the configuration from exact the same hardware appliance box, just to rule out hardware dependencies.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.