Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alix unstable under IPSEC Load on PFSense 2.2.5

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bitbasher
      last edited by

      Hey guys and gals,

      Seem to have some issues with firewall stability under IPSEC load on Alix LX800 with the new 2.2.5 release. No issues with 2.0/2.1 seems to directly correlate with the move to strongswan.

      Has anyone seen similar troubles?

      Tunnels are AES128 IKEv1, site to site. Identical Hardware.

      I start a file transfer between one site and the other. The other site is using a slightly older 2.1.x release
      Shortly after I see:

      • DNS Queries no longer responded to

      • Outbound Internet Access no longer possible

      • Web Interface no longer responding

      Cancelling the transfer sees the unit recover however very slowly.

      Not seeing massive load on the console when this is happening so AES acceleration is working as expected.

      Would have filed a bug but there is so little debugging info to send!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Use OpenVPN. Problem solved.

        1 Reply Last reply Reply Quote 0
        • B
          bitbasher
          last edited by

          @doktornotor:

          Use OpenVPN. Problem solved.

          Would love to but not an option -> https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported#Benchmarks

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            And the big deal is exactly what? Getting ~3Mbps more throughput? You must have weird priorities.

            1 Reply Last reply Reply Quote 0
            • B
              bitbasher
              last edited by

              @doktornotor:

              And the big deal is exactly what? Getting ~3Mbps more throughput? You must have weird priorities.

              The difference was actually pretty big in our case. Either way this is a regression so hopefully someone has experienced this and has more useful suggestions.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                I cannot see what suggestions exactly you expect. There have been shitloads of complaints about strongswan since 2.2 release. If you want a stable VPN, ditch this IPsec thing. Waste of time. (And. if throughput it your concern, then sorry to say but Alix is NOT a fit for purpose device in the first place. As noted above, with AES128 and cryptodev, the difference is absolutely marginal. If it was "pretty big" then you need to configure OpenVPN properly.)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.