pfSense » pfSense Plus

Reverting to AES-CBC with SHA384 in P1 and P2 works perfectly, even with SafeXcel enabled. Only seems to apply to AES-GCM.

Note that the issue may not be specific to SafeXcel - e.g. it could happen with Intel QAT as well.

Marcos Mendoza wrote in #note-3:

Note that the issue may not be specific to SafeXcel - e.g. it could happen with Intel QAT as well.

That is of course a possibility and not to be disregarded, but in this specific scenario the fault was definitively with the Netgate 2100 and not the Netgate 6100. The basis for this claim is that the 6100 has three other VPN tunnels all with AES-GCM working fine. These three tunnels are to a Netgate 1537, a SonicWall NSA2600 and a SonicWall TZ670. Furthermore, once the crash happened only a reboot of the Netgate 2100 solved the issue. The Netgate 6100 did not need to be rebooted, nor did rebooting it help.

There could of course theoretically be something with QAT in the 6100, but this particular error that we reported only seems to be regarding SafeXcel in the 2100.

I mean to say it's not a SafeXcel issue specifically. Thank you for confirming it's only on the 2100 (ARM) platform.

I believe I have hit this as well, 2100 to 7100 GCM tunnel. Is there an upstream FreeBSD bugreport? I believe the factory defaults for the 2100 have SafeXcel disabled, is that correct?