IPSEC traffic stalling after 20.7.1 upgrade

[proctor]

Thanks for the hint, I will give it a try (just changed and rebooted).

[glasi]

Sill no problems on my end with AES-NI and SHA256.

Have you ever tried AES-GCM instead of AES?

[franco]

Might be https://cgit.freebsd.org/src/commit/?id=62e32cf9140e6c13663dcd69ec3b3c7ca4579782 just a couple of days old.


Cheers,
Franco

[Gilad]

Hi, I have a similar problem with OPNsense 21.1.5 running on DEC850 (AMD EPYC 3201). IPsec VPN "Road Warrior" to an iOS device, with the following settings: AES-256, SHA256, DH-14 and ESP.

I can connect successfully, and the VPN tunnel works for 10-20 seconds, but then just dies. I've tried different combinations of encryption and hash, with the same results.

Is the only option currently to disable the AES-NI accelaration?

[jfranken]

On our OPNsense 21.1.4/DEC3850 we were experiencing several hanging ipsec ikev2 associations per day until I disabled aesni.

Four weeks ago, I changed the phase 1 and 2 algorithms from CBC (aes256-sha256-modp2048!) to GCM (aes256gcm16-sha256-modp2048!) and re-enabled aesni. Since then, not a single hitch, same with 21.1.5.

Check

grep -e " ike =" -e " esp =" /usr/local/etc/ipsec.conf

to test if you got them all.

Regards
Johannes Franken

[fraenki]

This issue will be fixed in today's release of OPNsense 21.1.6 (about to be released in the upcoming hours).

If it does not solve your issue, then you're most likely experiencing a different issue.
In that case I'd suggest to report a new issue on GitHub.


Regards
- Frank