Project

General

Profile

Actions

Bug #9441

closed

Setting Crypto HW breaks IPSec CBC

Added by Clinton Cory over 2 years ago. Updated 11 months ago.

Status:
Rejected
Priority:
Normal
Category:
IPsec
Target version:
Start date:
03/29/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

On the latest 2.5 snapshot from today (Mar 29th), I found IPSec CBC does not properly work if the "Cryptographic Hardware" setting under System -> Advanced -> Misc is configured for anything other than "none".

I encountered this on two SG-5100s (C3K based). The SG-5100 has QAT integrated, though it's not fully supported yet in pfSense.

Everything appears to work okay if Crypto Hardware is configured for something other than none but if you try to send traffic across the tunnel, it will die once it reaches the far-sides enc interface. You can see the traffic coming in but it just dies without a trace. I didn't see anything useful logged anywhere. GCM works without issue.

There is a ticket relating to the IPSec Crypto Async option having issues with TCP (#8964). In this instance, I'm using UDP for my test and I also tested with and without the IPSec Crypto Async option enabled.

Actions #1

Updated by Clinton Cory over 2 years ago

  • Description updated (diff)
Actions #2

Updated by Steve Beaver about 1 year ago

  • Assignee set to Luiz Souza
Actions #3

Updated by Steve Beaver 11 months ago

  • Assignee changed from Luiz Souza to Renato Botelho
Actions #4

Updated by Renato Botelho 11 months ago

  • Status changed from New to Rejected

It was probably fixed by the many changes on FreeBSD since it was opened. I couldn't reproduce it using SG-5100.

If you are still able to reach this problem, please re-open

Actions

Also available in: Atom PDF