Bug #4791
closed
AES-NI on 2.2.3-RELEASE broken with non AES-GCM modes
0%
Description
Hi,
Numerous reports are coming in of IPSec not working correctly with the 2.2.3-RELEASE. Multiple failures on site-to-site (seems to be NAT related and UDP), and mobile connection failures (secret keys not working).
References here:
https://forum.pfsense.org/index.php&topic=95659.0
https://forum.pfsense.org/index.php?topic=95647.0
https://forum.pfsense.org/index.php?topic=95646.0
https://forum.pfsense.org/index.php?topic=95633.0
https://forum.pfsense.org/index.php?topic=95620.0
Detailed reports within the postings contains log files and diagnostics.
Thank you.
-=david=
Updated by Jim Pingle over 9 years ago
Looks like it's related to the AESNI module now attempting to process all AES rather than only AES-GCM. It works fine for AES-GCM, but not others (e.g. AES-256)
Disable AESNI and reboot or temporarily switch to a non-AES cipher in Phase 2 to work around it until we post a fix.
Updated by Jim Pingle over 9 years ago
- Category set to IPsec
- Target version set to 2.2.4
- Affected Version set to 2.2.3
- Affected Architecture amd64 added
- Affected Architecture deleted (
)
Updated by Jim Thompson over 9 years ago
- Subject changed from IPSec on 2.2.3-RELEASE broken to AES-NI on 2.2.3-RELEASE broken with non AES-GCM modes
Updated by Renato Botelho over 9 years ago
- Status changed from New to Feedback
Patch that broke it (ipsec_aescbc_aesni.diff) was reverted. Should be fine on 2.2.4 snapshots
Updated by Chris Sutcliff over 9 years ago
Not sure if it's needed but I can confirm that Disabling AESNI works.
Updated by Mark Janssen over 9 years ago
I just hit this issue as well, disabling AES-NI did the trick. It's a bit unfortunate that the release notes/blog post weren't updated with this information.
Updated by