Project

General

Profile

Bug #9441

Setting Crypto HW breaks IPSec CBC

Added by Clinton Cory 7 months ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
03/29/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

On the latest 2.5 snapshot from today (Mar 29th), I found IPSec CBC does not properly work if the "Cryptographic Hardware" setting under System -> Advanced -> Misc is configured for anything other than "none".

I encountered this on two SG-5100s (C3K based). The SG-5100 has QAT integrated, though it's not fully supported yet in pfSense.

Everything appears to work okay if Crypto Hardware is configured for something other than none but if you try to send traffic across the tunnel, it will die once it reaches the far-sides enc interface. You can see the traffic coming in but it just dies without a trace. I didn't see anything useful logged anywhere. GCM works without issue.

There is a ticket relating to the IPSec Crypto Async option having issues with TCP (#8964). In this instance, I'm using UDP for my test and I also tested with and without the IPSec Crypto Async option enabled.

History

#1 Updated by Clinton Cory 7 months ago

  • Description updated (diff)

Also available in: Atom PDF