Bug #9441
closed
Setting Crypto HW breaks IPSec CBC
0%
Description
On the latest 2.5 snapshot from today (Mar 29th), I found IPSec CBC does not properly work if the "Cryptographic Hardware" setting under System -> Advanced -> Misc is configured for anything other than "none".
I encountered this on two SG-5100s (C3K based). The SG-5100 has QAT integrated, though it's not fully supported yet in pfSense.
Everything appears to work okay if Crypto Hardware is configured for something other than none but if you try to send traffic across the tunnel, it will die once it reaches the far-sides enc interface. You can see the traffic coming in but it just dies without a trace. I didn't see anything useful logged anywhere. GCM works without issue.
There is a ticket relating to the IPSec Crypto Async option having issues with TCP (#8964). In this instance, I'm using UDP for my test and I also tested with and without the IPSec Crypto Async option enabled.
Updated by
Updated by Anonymous about 4 years ago
- Assignee changed from Luiz Souza to Renato Botelho
Updated by Renato Botelho about 4 years ago
- Status changed from New to Rejected
It was probably fixed by the many changes on FreeBSD since it was opened. I couldn't reproduce it using SG-5100.
If you are still able to reach this problem, please re-open