Alix unstable under IPSEC Load on PFSense 2.2.5



  • Hey guys and gals,

    Seem to have some issues with firewall stability under IPSEC load on Alix LX800 with the new 2.2.5 release. No issues with 2.0/2.1 seems to directly correlate with the move to strongswan.

    Has anyone seen similar troubles?

    Tunnels are AES128 IKEv1, site to site. Identical Hardware.

    I start a file transfer between one site and the other. The other site is using a slightly older 2.1.x release
    Shortly after I see:

    • DNS Queries no longer responded to

    • Outbound Internet Access no longer possible

    • Web Interface no longer responding

    Cancelling the transfer sees the unit recover however very slowly.

    Not seeing massive load on the console when this is happening so AES acceleration is working as expected.

    Would have filed a bug but there is so little debugging info to send!


  • Banned

    Use OpenVPN. Problem solved.



  • @doktornotor:

    Use OpenVPN. Problem solved.

    Would love to but not an option -> https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported#Benchmarks


  • Banned

    And the big deal is exactly what? Getting ~3Mbps more throughput? You must have weird priorities.



  • @doktornotor:

    And the big deal is exactly what? Getting ~3Mbps more throughput? You must have weird priorities.

    The difference was actually pretty big in our case. Either way this is a regression so hopefully someone has experienced this and has more useful suggestions.


  • Banned

    I cannot see what suggestions exactly you expect. There have been shitloads of complaints about strongswan since 2.2 release. If you want a stable VPN, ditch this IPsec thing. Waste of time. (And. if throughput it your concern, then sorry to say but Alix is NOT a fit for purpose device in the first place. As noted above, with AES128 and cryptodev, the difference is absolutely marginal. If it was "pretty big" then you need to configure OpenVPN properly.)


Log in to reply