Project

General

Profile

Bug #4791

AES-NI on 2.2.3-RELEASE broken with non AES-GCM modes

Added by David Harrigan about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
-
Category:
IPsec
Target version:
Start date:
06/26/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.3
Affected Architecture:
amd64

Description

Hi,

Numerous reports are coming in of IPSec not working correctly with the 2.2.3-RELEASE. Multiple failures on site-to-site (seems to be NAT related and UDP), and mobile connection failures (secret keys not working).

References here:

https://forum.pfsense.org/index.php&topic=95659.0
https://forum.pfsense.org/index.php?topic=95647.0
https://forum.pfsense.org/index.php?topic=95646.0
https://forum.pfsense.org/index.php?topic=95633.0
https://forum.pfsense.org/index.php?topic=95620.0

Detailed reports within the postings contains log files and diagnostics.

Thank you.

-=david=

History

#1 Updated by Jim Pingle about 4 years ago

Looks like it's related to the AESNI module now attempting to process all AES rather than only AES-GCM. It works fine for AES-GCM, but not others (e.g. AES-256)
Disable AESNI and reboot or temporarily switch to a non-AES cipher in Phase 2 to work around it until we post a fix.

#2 Updated by Jim Pingle about 4 years ago

  • Category set to IPsec
  • Target version set to 2.2.4
  • Affected Version set to 2.2.3
  • Affected Architecture set to amd64

#3 Updated by Jim Thompson about 4 years ago

  • Subject changed from IPSec on 2.2.3-RELEASE broken to AES-NI on 2.2.3-RELEASE broken with non AES-GCM modes

#4 Updated by Renato Botelho about 4 years ago

  • Status changed from New to Feedback

Patch that broke it (ipsec_aescbc_aesni.diff) was reverted. Should be fine on 2.2.4 snapshots

#5 Updated by Chris Sutcliff about 4 years ago

Not sure if it's needed but I can confirm that Disabling AESNI works.

#6 Updated by Mark Janssen about 4 years ago

I just hit this issue as well, disabling AES-NI did the trick. It's a bit unfortunate that the release notes/blog post weren't updated with this information.

#7 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF