IPSEC - just broken



  • In order for us to have a very reliable link across numerous location and IPSEC remote or site to site, we had to stay with 2.1.5.  It seems that the 2.2x branch is just a continuous problem for too many people.  There are so many releases in the 2.2x branch that it is obvious that there are problems - hopefully it stabilizes soon.  Is there a plan to remedy this IPSEC problems anytime soon?



  • The constructive thing to do would be to document what problems you are having with IPSec. There are a few issues still outstanding, but there are plenty of people running IPSec on 2.2.x with no trouble. Your post with no details or references comes off as a troll.



  • I'm a big fan of openvpn.  Works well for me.
    Care to give it a try?



  • If I wanted to troll, I would of just said it plain sucks.  I've documented it already in several posts.  I was merely asking what are the next steps?  It is a very valid question.  It is obvious that due to the change on 2.2x branch, things are still being worked out.  If you look at the release notes for all the 2.2x releases, it is littered with IPSEC fixes so it is nothing to hide or new.  My question is, when do the devs think it will stabilize.  Look at General / Installation / IPSEC sections - get a clue of the troubles.

    BTW, I wouldn't use another product but pfSense - how's that for trolling?  I will probably have to move to OpenVPN so thanks for the reminder.



  • The majority of IPsec circumstances have been fine on all 2.2.x releases. There have been a ton of edge cases though, which we (and strongswan) have resolved more and more of in each release. 2.2.3 unacceptably bumpy there with some mobile ipsec.secrets breakage (but also fixing other formerly-broken circumstances, in breaking the other) and AES-NI breaking non-GCM AES modes. There are hundreds of thousands of possible combinations of options with IPsec, so it's easy to have huge gaps in your coverage even when you do pretty significant testing. The last of IPsec issues should be fixed once and for all in 2.2.4 snapshots. We're working through the last of the possible major test circumstances to finish verification. Our test cases have been expanded significantly with each release, and now should cover enough combinations of things to avoid such regressions in the future.

    We always could use more pre-release outside testing to help with circumstances that we can't or aren't replicating for whatever reason (most often: hardware-specific things, or really atypical usage).

    pinoyboy: I don't see any related posts from you in 5 months. A lot has changed since then. Time to try again, 2.2.4 release is coming soon, and it appears things are in as good of shape as 2.1.5/racoon and better in ways there.



  • Even after IPSEC is fixed I still think anyone who migrates to openvpn is doing themselves (and everyone else) a favor unless for some reason its just required to use IPSEC.



  • Thank you cmb for the insight and update.  I will have to delay and try the next release 2.2.4.  I held off after 2.2.1 due to current issues we had.  I am sure you guys are working your tail off to get things better.  kejianshi, unfortunately we have to play nice with some other partners and sites which have standardized on IPSEC thus OpenVPN is not an option.  I would like to go to OpenVPN, but for now, we really do need to standardized with our partners.  OpenVPN would be great for some of our VoIP endpoints…we may have to do hybrid solution.



  • Hello pinoyboy,

    two things from me on top to this things.

    I am a really great fan of pfSense (ok I am a newbie) and also a little bit conservative;

    • IPSec VPN is common and is also threated in the business world as not broken
    • Terminating the VPN endpoint at the WAN interface of the firewall or UTM (pfSense)

    But if there are more problems came with and the business must go on, you can try two things out.

    • If you are switching to OpenVPN you can try install on both sites (Site-to-Site VPN) a compression card
      likes the Comtech AHA363PCIe this would be speeding up the entire throughput.
    • The other way if you must handle more then one VPN method you can fairly try out SoftEther VPN
      it accepts nearly all VPN types! We installed a Linux VPN Server in the DMZ and there fore our pfSense
      is now running more stable and the linux based server is accepting this cards also!!! Here is a link for it:
      SoftEtherVPN And the best, if you want to stay with FreeBSD it is
      also available for FreeBSD 10.1, Linux, Solaris, Windows, MacOS.

    All common VPN methods are accepted (OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP)
    So if you have a old server hardware laying around try it out, it used also AES-NI!

    The comtech cards are at $30 at eBay and are delivering 5 GBit/s.


Log in to reply