Bug #8070: IKEv2 IPSec tunnel under load crashes pfSense when AES-NI is enabled - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.07 Plus - All Closed Issues
24.07 Plus - All Open Issues
24.07 Plus - Feedback Issues
24.07 Plus - Needs Attention/Work
24.07 Plus - New/Confirmed/In Progress Issues
24.07 Plus - Pull Request Review
24.07 Plus - Waiting on Merge
24.07 Target - All Closed Issues
24.07 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #8070

closed

IKEv2 IPSec tunnel under load crashes pfSense when AES-NI is enabled

Added by Jan Jurkus over 6 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

Start date:

11/08/2017

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

Affected Architecture:

amd64

Description

I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0

As I said, disabling AES-NI makes the problem disappear.

Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.

Files

crashdumps.zip (39.8 KB) crashdumps.zip

Jan Jurkus, 11/08/2017 11:41 AM

History
Notes
Property changes

Actions

Copy link

Updated by Paul Youngberg almost 6 years ago

Jan Jurkus wrote:

I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0

As I said, disabling AES-NI makes the problem disappear.

Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.

Also observed in 2.4.3_p1

Actions

Copy link

Updated by Rachel Chen over 5 years ago

Paul Youngberg wrote:

Jan Jurkus wrote:

I want to refer you to this forumpost: https://forum.pfsense.org/index.php?topic=139146.0

As I said, disabling AES-NI makes the problem disappear.

Forummember GyroK dug this up: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
It seems it is fixed in FreeBSD 11-STABLE.

Also observed in 2.4.3_p1

Can confirm issue on 2.4.3_p1. Forced to use AES-CBC which isn't exactly ideal.

Actions

Copy link

Updated by Rachel Chen over 5 years ago

Interestingly, it is seemingly working in 2.4.4-RELEASE. /var/etc/ipsec/ipsec.conf included for your entertainment:

P1 has AES-128-GCM and AES-256 (because Windows doesn't like my proposal for some reasons).

# This file is automatically generated. Do not edit
config setup
    uniqueids = yes
    strictcrlpolicy = yes 

conn con-mobile
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes

    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 30s
    dpdtimeout = 120s
    auto = add
    left = [redacted]
    right = %any
    leftid = fqdn:[redacted]
    ikelifetime = 28800s
    lifetime = 3600s
    rightsourceip = [redacted]
    rightdns = [redacted]
    ike = aes128gcm128-sha256-ecp256,aes256-sha256-ecp256!
    esp = aes128gcm128-sha256-ecp256,aes128gcm128-sha256-ecp256!
    eap_identity=%identity
    leftauth=pubkey
    rightauth=eap-tls
    leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    leftsendcert=always
    rightca=[redacted]
    leftsubnet = 2000::/3,0.0.0.0/0

System:

CPU Type    Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz
Current: 3600 MHz, Max: 3601 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

Hardware crypto    AES-CBC,AES-XTS,AES-GCM,AES-ICM

Kernel PTI    Enabled

Tested on iOS 12.0.1/macOS 10.13.6, Windows 10 Pro for Workstations, no problems.

Windows configuration for those who are unhinged:

Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -IntegrityCheckMethod SHA256 -EncryptionMethod AES256 -DHGroup ECP256 -PfsGroup ECP256 -PassThru

Actions

Copy link

Updated by Jim Pingle over 5 years ago

It's entirely possible that the fixes referenced in the original description were only fully/completely integrated into what eventually became FreeBSD 11.2, or other fixes may have come along after.

We can leave this open for a little longer to see if others are also noticing better stability on 2.4.4, but it's likely fixed.

Actions

Copy link