Bug #8070
closed
IKEv2 IPSec tunnel under load crashes pfSense when AES-NI is enabled
0%
Description
I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0
As I said, disabling AES-NI makes the problem disappear.
Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.
Files
Updated by Paul Youngberg almost 6 years ago
Jan Jurkus wrote:
I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0
As I said, disabling AES-NI makes the problem disappear.
Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.
Also observed in 2.4.3_p1
Updated by Rachel Chen over 5 years ago
Paul Youngberg wrote:
Jan Jurkus wrote:
I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0
As I said, disabling AES-NI makes the problem disappear.
Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.Also observed in 2.4.3_p1
Can confirm issue on 2.4.3_p1. Forced to use AES-CBC which isn't exactly ideal.
Updated by Rachel Chen over 5 years ago
Interestingly, it is seemingly working in 2.4.4-RELEASE. /var/etc/ipsec/ipsec.conf included for your entertainment:
P1 has AES-128-GCM and AES-256 (because Windows doesn't like my proposal for some reasons).
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
strictcrlpolicy = yes
conn con-mobile
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 30s
dpdtimeout = 120s
auto = add
left = [redacted]
right = %any
leftid = fqdn:[redacted]
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = [redacted]
rightdns = [redacted]
ike = aes128gcm128-sha256-ecp256,aes256-sha256-ecp256!
esp = aes128gcm128-sha256-ecp256,aes128gcm128-sha256-ecp256!
eap_identity=%identity
leftauth=pubkey
rightauth=eap-tls
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
leftsendcert=always
rightca=[redacted]
leftsubnet = 2000::/3,0.0.0.0/0
System:
CPU Type Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz Current: 3600 MHz, Max: 3601 MHz 4 CPUs: 1 package(s) x 4 core(s) AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM Kernel PTI Enabled
Tested on iOS 12.0.1/macOS 10.13.6, Windows 10 Pro for Workstations, no problems.
Windows configuration for those who are unhinged:
Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -IntegrityCheckMethod SHA256 -EncryptionMethod AES256 -DHGroup ECP256 -PfsGroup ECP256 -PassThru
Updated by Jim Pingle over 5 years ago
It's entirely possible that the fixes referenced in the original description were only fully/completely integrated into what eventually became FreeBSD 11.2, or other fixes may have come along after.
We can leave this open for a little longer to see if others are also noticing better stability on 2.4.4, but it's likely fixed.
Updated by Marcos M over 3 years ago
- Status changed from New to Closed
Seems this is the same as:
https://redmine.pfsense.org/issues/8961
https://redmine.pfsense.org/issues/8964
Closing and tracking on #8964