Wednesday, April 21, 2021

Site To Site IPSec issue with 21.X release of PFSense

I ran into this issue a few months back where I upgraded the Netgate SG-5100 from 2.4.5 to 21.01.  That night I noticed that I had issues with my IPSec site to site VPNs.  I also have several OpenVPN site to site VPNs, but they were unaffected.

Last night, I ran into the same issue when upgrading from 2.4.5 to 21.02-2.  Same customer.  When I did this upgrade (to fix another problem), this IPSec issue came back again.  In doing some research, I found this link in the Netgate forum: https://redmine.pfsense.org/issues/11524 

After reading through this, I verified my settings.  Sure enough, I was using SHA256 as my hash for my VPN settings.  I made the following changes:

1.  Changed from SHA256 to SHA512 (from what I read, use anything but SHA256 or SHA1)

2.  Disabled AES-NI by going to System --> Advanced --> Miscellaneous --> Cryptographic Hardware, and changing that setting from "AES-NI and BSD crypto device" to "Intel QuickAssist (QAT)".