IPSec - Upgrade to 2.3 removes AES-GCM encryption options from Phase 1



  • Good morning,

    I have a few pfSense boxes which are still running 2.2 and one pfSense box that has been upgraded to 2.3. I've noticed when configuring an IPSec tunnel between the two that several encryption options are missing from the Phase 1 configuration for 2.3. Of particular note is that the AES-GCM options are not available, which is causing issues with IPSec tunnels that were previously configured to use this.

    More importantly, a 2.2.6 box upgraded to 2.3 will change the AES-256-GCM mode (at least according to the GUI) to AES-128 bits. I don't know if this is accurate internally but if the configuration is saved it will cause the Phase 1 to fail because it cannot agree on an encryption parameter.

    Options available in 2.3:

    AES - 128, 192, 256
    Blowfish - 128, 192, 256
    3DES
    CAST 128

    Options available in 2.2.6

    AES - 128, 192, 256
    AES-128-GCM
    AES-192-GCM
    AES-256-GCM

    Blowfish - 128, 192, 256
    3DES
    CAST128
    DES (Thank you for removing this)

    I've been able to fix my VPN tunnels by modifying the Phase 1 encryption to AES 128 bit.

    Is this a bug or something intended with the 2.3 release? I'd love to report it as a bug, but I'm not sure where to do that.



  • @Josh:

    Good morning,

    I have a few pfSense boxes which are still running 2.2 and one pfSense box that has been upgraded to 2.3. I've noticed when configuring an IPSec tunnel between the two that several encryption options are missing from the Phase 1 configuration for 2.3. Of particular note is that the AES-GCM options are not available, which is causing issues with IPSec tunnels that were previously configured to use this.

    More importantly, a 2.2.6 box upgraded to 2.3 will change the AES-256-GCM mode (at least according to the GUI) to AES-128 bits. I don't know if this is accurate internally but if the configuration is saved it will cause the Phase 1 to fail because it cannot agree on an encryption parameter.

    Options available in 2.3:

    AES - 128, 192, 256
    Blowfish - 128, 192, 256
    3DES
    CAST 128

    Options available in 2.2.6

    AES - 128, 192, 256
    AES-128-GCM
    AES-192-GCM
    AES-256-GCM

    Blowfish - 128, 192, 256
    3DES
    CAST128
    DES (Thank you for removing this)

    I've been able to fix my VPN tunnels by modifying the Phase 1 encryption to AES 128 bit.

    Is this a bug or something intended with the 2.3 release? I'd love to report it as a bug, but I'm not sure where to do that.

    I have already create an bug issue on the missing GCM in phase1 (which actually is called IKA SA when using IKEv2)

    https://redmine.pfsense.org/issues/5990

    I was the one that created a git pull request to put GCM into phase 1 for pfsense 2.2.4-2.2.6 but someone tought it wasn't a valid option for phase 1 and took it out together with DES. So one good thing came out of it but now we are missing GCM.

    I have read a lot of RFC's and it should definitely be an option  but the whole phase 1 and phase 2 should probably be redesigned since this is only terms when talking IKEv1.

    IKEv2 has:
    IKE SA, known as phase1 in IKEv1
    IPsec SA , known as phase2 in IKEv1



  • Getting this same issue on a fresh install of 2.3.1 in Hyper-V  :-[

    does 2.3.1_5 resolve this or is there another option?



  • So it looks like AES-GCM is broken until 2.3.2.  Anyone know the ETA for this?  I know that 2.3 brings an amazing interface but I am finding lots of performance issues with ipsec since leaving 2.1.x

    IPSEC across the board for me is incredibly slow.  My Hyper-V server has 1GB inbound and 500 mbit outbound and I am unable to pull more than 2-3mbit down from the hyper-V server at any given time.



  • AES-GCM is absolutely not broken, in any version. It's the only thing we use internally for our VPNs. Its removal from P1 was overly-excessive, since it can work with IKEv2 in that context (diffs in IKEv1 and v2 aside, talking how the GUI presents it), though it's not really important from a performance perspective which you use in P1.



  • So if I want to take advantage of AES-GCM how do I do so when I cannot select it in my P1 unless P2 is only where it matters?



  • P2 is where it matters.


  • Rebel Alliance Developer Netgate

    Also, FYI- If you choose to use AES-GCM in P1 for an IKEv2 tunnel, use AES-XCBC for the "hash" algorithm (really it's a PRF in that case and not a hash…).