Project

General

Profile

Actions

Bug #9441

closed

Setting Crypto HW breaks IPSec CBC

Added by Clinton Cory almost 6 years ago. Updated about 4 years ago.

Status:
Rejected
Priority:
Normal
Category:
IPsec
Target version:
Start date:
03/29/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

On the latest 2.5 snapshot from today (Mar 29th), I found IPSec CBC does not properly work if the "Cryptographic Hardware" setting under System -> Advanced -> Misc is configured for anything other than "none".

I encountered this on two SG-5100s (C3K based). The SG-5100 has QAT integrated, though it's not fully supported yet in pfSense.

Everything appears to work okay if Crypto Hardware is configured for something other than none but if you try to send traffic across the tunnel, it will die once it reaches the far-sides enc interface. You can see the traffic coming in but it just dies without a trace. I didn't see anything useful logged anywhere. GCM works without issue.

There is a ticket relating to the IPSec Crypto Async option having issues with TCP (#8964). In this instance, I'm using UDP for my test and I also tested with and without the IPSec Crypto Async option enabled.

Actions

Also available in: Atom PDF