The tunnel traffic still stalls after a while (it did so after about 100MB inbound traffic).
I plan to test again with an older version of strongswan (the one that was included in 20.1.4; need to find out the version number).
This wont work since ABI changed.
Sep 8 17:03:05 charon[62985]: 05[IKE] <con5|1> giving up after 10 path probings
Sep 8 17:03:05 charon[62985]: 05[IKE] <con5|1> restarting CHILD_SA con5
I plan to test again with an older version of strongswan (5.8.3, which was included in 20.1.4). I also plan to test with strongswan 5.9. But this will take some time, because I need to build these packages for FreeBSD 12.1 first.
I need some screenshots of Phase1 and Phase2.
I tend to assume that this is not really a IPsec bug. It could be related to the hardware platform. My firewalls are running on A2SDi-2C-HLN4F with a Intel C3338 CPU and Intel C3000 NIC chip. This NIC chip is driven by the ix driver on FreeBSD.
I tend to assume that this is not really a IPsec bug. It could be related to the hardware platform. My firewalls are running on A2SDi-2C-HLN4F with a Intel C3338 CPU and Intel C3000 NIC chip. This NIC chip is driven by the ix driver on FreeBSD.
@Andreas_ Which hardware are you using, especially the NIC chip/driver? And could you share a screenshot of the Interfaces -> Settings page?
I had massive IPSEC problems after updating to 20.7.
I am running OPNsense on comparable hardware (A2SDi-4C-HLN4F).
I've updated to OPNsense 20.7.3 from 20.1, today. My first IPsec tests do not show any incorrect behaviour. I've pushed nearly 8 GB through the IPsec tunnel in each direction.
IPsec settings...
Hello,
that is my first post at this forum and i found this topic while searching to the described problem. I don't know your short hardware description, but i run opnsense at Intel hw (scope7 1510*). If i can do something to help just tell me. I am not familiar with opnsense yet. I just started replacing one of our bintec routers.
Regards, Proctor
* https://www.landitec.com/products/open-source-appliance-solutions/scope7-open-source-appliances/scope7-1510-detail/
Hello,
that is my first post at this forum and i found this topic while searching to the described problem. I don't know your short hardware description, but i run opnsense at Intel hw (scope7 1510*). If i can do something to help just tell me. I am not familiar with opnsense yet. I just started replacing one of our bintec routers.
Regards, Proctor
* https://www.landitec.com/products/open-source-appliance-solutions/scope7-open-source-appliances/scope7-1510-detail/
Without a vlan I could not reproduce the stalling.
So please forget the vlan part.
LACP
+----------------------+ IPsec +----------------------+ Trunk +----------------------+
| OPNsense 20.7.4 | Tunnel | OPNsense 20.7.4 | VLAN | Cisco SG250-18 |
| Intel Atom C3558 |-------------------| Intel Atom C3558 |-------------------| Switch |
| 8 GB RAM | IPv4 | 8 GB RAM | 2x 1 Gb/s | |
+----------------------+ policy based +----------------------+ +----------------------+
/ \
/ \
1 Gb/s / \ 1 Gb/s
/ \
/ \
+----------------------+ +----------------------+
| File server | | Client |
| VLAN 10 | | VLAN 70 |
| | | |
+----------------------+ +----------------------+
If anyone is still affected by IPsec instability, please test the following:
Change the following setting...
System: Settings: Miscellaneous -> Hardware acceleration
...from "AES-NI CPU-based" to "none" and save the change. Be sure to reboot the firewall afterwards.
Please report back.
Thanks
- Frank
If anyone is still affected by IPsec instability, please test the following:
Please report back.
Hello Frank, we have the exact same problem with a new installed 21.1. Disable hardware acceleration doesnt help us. We tried to run the vm with e1000 card instead a vmxnet3 Vmware card, nothing helps.
The setup works properly with EAP-Radius and W10 ikeV2 Clients, but after transmitting 200 - 250 Mbyte Data the Tunnel stalled.
Any Ideas?
If anyone is still affected by IPsec instability, please test the following:
Change the following setting...
System: Settings: Miscellaneous -> Hardware acceleration
...from "AES-NI CPU-based" to "none" and save the change. Be sure to reboot the firewall afterwards.
Please report back.
Thanks
- Frank
what did you make believe this was the fault of the AESNI acceleration?
Problem could be fixed! The fault was the activation of PFS. The Windows 10 client does not receive this setting, if not appropriately set via Powershell. This then led to exactly this error pattern.
If anyone is still affected by IPsec instability, please test the following:
Change the following setting...
System: Settings: Miscellaneous -> Hardware acceleration
...from "AES-NI CPU-based" to "none" and save the change. Be sure to reboot the firewall afterwards.
Please report back.
Thanks
- Frank
grep -e " ike =" -e " esp =" /usr/local/etc/ipsec.conf |