Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Tacoma

Pages: [1]
The good news:
Just ran an iperf test on my IPsec gateway VPN which has gigabit fiber WAN side fiber connections.
My hardware on both ends is a Supermicro motherboard with 8 core ATOM CPU's and 8 GB of memory.
Here are the results from one iperf test:

Client connecting to x.x.x.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11.76 us (kalman adjust)
UDP buffer size: 56.0 KByte (default)
[  3] local x.x.x.5 port 18443 connected with x.x.x.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.16 GBytes   999 Mbits/sec
[  3] Sent 849358 datagrams

Which is 99.9% of the theoretical bandwidth.

The bad news for release 2.4.2, this was run on release 2.3.4

I have run these gateway VPN's for years on Version 2.x with good results.
But now with upgrading 2.4.x things went to crap.
Recently after upgrading to 2.4.x I began to get Kernel crashes on one side.
I read up on this in the pfsense forum, and found recommendations for some buffer settings on ports, there were some discussions about FreeBSD issues so I tried the latest DEV version, I played with MTU settings, I started with fresh installs of 2.4.2 on both sides, all to no avail.   When I benchmarked 2.4.x I was getting less than 1/3 of the throughput or worse from those on V 2.3.4

I did benchmark testing using the following:

iperf pfsense to pfsense
iperf run in command line windows
ftp transfers
SMB file copy and pasting

Anyone know if this release has a fix for this issue?

2.4.3-DEVELOPMENT (amd64)
built on Tue Mar 13 10:14:21 CDT 2018
FreeBSD 11.1-RELEASE-p7

I see this is a patched version of FreeBSD, and there was a reference to ipsec fixes in the release notes, but it wasn't clear if this fixed this same issue.

One clarification on my application, using a supermicro motherboard with pfsense installed directly to hard drive.   No VM Software involved.

Having what I believe is this issue since moving to 2.4.x
Here is a picture of the console with the Kernel crash.
No log available.
Reverted back to version 2.3.x and the problem has not occurred as of yet.

I didn't mention it in the last post, but after the changes, rebooted both sides, and the tunnel came up.  But just went ahead and added this VPN>IPsec, Pre-Shared Keys tab, with identifiers back in, rebooted, and the tunnel came up again.  Will leave this as the new running config and will watch it for stability to make sure it survives rekey and all.

Only because they were already there before. Reboot, or stop then start strongswan, and it'll stop working again (or possibly later during rekey without stop/start).

I have a working version now. (see image below)

When I set up the Peer Identifier to Distinguished as a FQDN on both sides, it started working.
I was also using this recommendation from cmb:

If you go to VPN>IPsec, Pre-Shared Keys tab, and add an identifier with your FQDN and PSK there, that should work. FQDNs used there are put into ipsec.secrets as the FQDN without the leading @ forcing it to a FQDN type, which means strongswan will resolve it to an IP and use the IP. That'll leave you with both the DN and IP identifiers, which will meet the requirement for main mode PSK.
Once the IPsec tunnel was working again I started backing out changes, and was able to remove the VPN>IPsec, Pre-Shared Keys tab, with identifiers as shown above and it still worked.

One note on this, my remote side was setup like the main site in that I was using dynamic DNS entries and distinguished names in the My identifier and Peer identifier because if I left them as shown in the first post with IP addresses it didn't work.

Thanks for the help.  Hope this helps someone else down the road ...

An update on this.

I was concerned about the one pfsense device being located behind a router as causing these issues.  One of the pfsense devices has a public IP address on it's WAN port and no interposing router.  So I tried the same test, as shown above, but using the pfsense device not behind a router with a dynamic dns setup.     The result was exactly the same.  I did read some much older forum discussions where apparently this dynamic dns setup used to work and was expected to work, and then stopped working with some version number.  I remember one of people saying that the dynamic dns entry should resolve to an IP address.

In the past I have configured Cisco business routers in a very similar way and they supported a dynamic dns entry in this equivalent location.

I did make a quick unsuccessful attempt at using the Mutual RSA key using this quick start guide as a starting point.
In the guide it wasn't clear to me as to exactly which type of keys to generate, i.e. server key, user key, etc ...
I noticed they were recommending using IP addresses in the alternatives name, which defeats the whole point of dynamic dns.
i.e. they had ==> add an Alternative Names entry with a Type of IP and the Value set to the IP address of the WAN interface on Firewall A.

There are many other tests that I ran trying different combinations unsuccessfully, and a few more I intend to try.

So far it is all quiet on this one.
Did I put this in the right topic?
If not, could a moderator move it to the correct topic? to see if anyone has any idea?

Here are some of the errors shown in the IPsec logs:

Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> constraint requires public key authentication, but pre-shared key was used
Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> selected peer config 'bypasslan' inacceptable: non-matching authentication done
Oct 16 08:46:23    charon: 09[CFG] <bypasslan|554> no alternative config found
Oct 16 08:46:23    charon: 09[IKE] <bypasslan|554> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 16 08:46:23    charon: 09[IKE] <bypasslan|554> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 16 08:46:23    charon: 09[ENC] <bypasslan|554> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

I have a working configuration that I make one change to (moving from fixed IP to dyndns), and it stops working.
This is either a bug, or admittedly I might be doing something wrong.

Currently testing with:

2.2.5-DEVELOPMENT (amd64)
built on Sat Jul 25 19:57:37 CDT 2015
FreeBSD 10.1-RELEASE-p15

Note, I originally tested with 2.2.4 with the same results, then applied the gitsync update to move from 2.2.4 to 2.2.5

This pfsense router sits behind another WAN router with tcp ports open that allows the VNP to function.  I have a working configuration that has My Identifier configured as the IP address with the public IP address of the WAN router (see config images below).

The configuration used is a working ipsec IKE V2 with P2 ESP.
The second image shows a configuration one with a single change to the working configuration, setting My Identifier to Dynamic DNS, which does not work.   Some of the confidential configuration settings have been changed to generic values, but you will get the idea looking at the images.

The first configuration works.

This second configuration using Dynamic DNS does NOT work.

IPsec / Re: IPSec performance using 1 gigabit /second WAN
« on: June 18, 2015, 10:17:01 am »
You should start by loading AESNI module.

In pfSense 2.2.x surely its confirmed you can get 800Mbit/s with lower boxes with AES-GCM.
In 2.3 its improved a bit more.

Can you please post your numbers and what ipsec configuration you are using?

Re-testing with AES-128 and I can see that computer #1 (the less powerful of the 2 pfsense computers) is showing much higher loads on the interrupt than on the first snapshots taken, seems like the interrupt is ranging between 70-90% of utilization

IPsec / Re: IPSec performance using 1 gigabit /second WAN
« on: June 18, 2015, 09:44:28 am »
You should start by loading AESNI module.

In pfSense 2.2.x surely its confirmed you can get 800Mbit/s with lower boxes with AES-GCM.
In 2.3 its improved a bit more.

Can you please post your numbers and what ipsec configuration you are using?

For AESNI modules, it looks like a 64 bit installation is required?
These are 32 bit installs, so I may have to start over and with a 64 bit installation.

Wasn't sure what "your numbers" were, but see attached jpg documents for phase 1 and phase 2 test configs.

IPsec / IPSec performance using 1 gigabit /second WAN
« on: June 16, 2015, 01:54:56 pm »
I am interested in IPSec performance using 1 gigabit/sec WAN connections.
My initial testing is run on the bench using spare computers.
Ultimately I was hoping to use the 4 core SG-4860 devices in our applications, but only if I am certain I can get the full 1 gigabit throughput through the IPSec tunnel.

In my testing there are 4 computers used.
2 of the computers have dedicated pfsense installations with IPSec tunnels connecting them on the wan side.
The IPSec tunnel is setup for AES 256 phase 1, and 2.

The 2 other computers are used in a file transfer test from LAN side to LAN side across the tunnel.
When the two computers are setup on the same subnet as a benchmark baseline, the file transfer rates are at the full 1 gigabit / second speed.
However, when using the IPSec tunnel to transfer the files, the transfer rate drops to around 80-100 mbit / sec
These test devices are all dedicated to this test.

Attached are activity performance screen shots.  The two pfsense computers are mostly idle expect for the interrupt task and they show free memory still available.  On the pfsense computer #1 utilization runs around 50-65% on the interrupt routine and on pfsense computer #2 shows around 30% utilization on the interrupt routine.  Since utilization is well less than 100%, I am wondering why the throughput isn't better?
Are there any settings or recommendations that might increase the speed?
Can anyone show me results from a pair of SG-4860's that show they can handle the full 1 gigabit speed?

See performance attachments for:
pfsense computer 1
pfsense computer 2

Pages: [1]