T20: upgrade to 12.7.2 killed all my vpn with AES-GCM

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - Upgrade, Downgrade, Backup

Hi,

I have made a test upgrade on a T20 from 12.7.1 to 12.7.2.

All tunnels on this device (like all my other T20´s) is running bovpn with phase1 aes-gcm-128, df20 and phase2 esp-eas128-gcm, df19, pfs.
This is the only configured encryptions.

After the upgrade all tunnels failed with:
2021-10-16 18:44:27 iked (Firebox-T20<->Firebox-M370-NG)IKEv2 CREATE_CHILD_SA exchange from Firebox-T20:500 to Firebox-M370-NG:500 failed. Tunnel='NetGroup'. Reason=Received N(TS_UNACCEPTABLE) message. msg_id="021A-0016" Debug
2021-10-16 18:44:27 iked (Firebox-T20<->Firebox-T20-Remote)IKEv2 CREATE_CHILD_SA exchange from Firebox-T20:500 to Firebox-T20-Remote:500 failed. Tunnel='HQAarhus'. Reason=Received N(TS_UNACCEPTABLE) message. msg_id="021A-0016" Debug
2021-10-16 18:44:27 iked (Firebox-T20<->Firebox-M370-NG-AN)IKEv2 CREATE_CHILD_SA exchange from Firebox-T20:500 to Firebox-M370-NG-AN:500 failed. Tunnel='WebshopAarhus'. Reason=Received N(TS_UNACCEPTABLE) message. msg_id="021A-0016" Debug

Rebooting the firebox did not help, nor re-saving the configuration.

What helped was to add sha2-256-aes, df20 to phase1 and esp-aes256-sha256 to phase2 as first transform and proposal while leaving the aes-gcm as a second choice.

Then all tunnels established without changing anything on the remote devices.
I then removed the sha2-256-eas transform and proposol and reverted back to the original configuration with aes-gcm encryption and now this also works again.

I did try to re-load a configuration file 1 hour old (as a config which has not been touch be the upgrade process) but this did not help.

Here is what IKEd logged before i made the above changes:
(https://1drv.ms/t/s!AuOwdE3caya8helHMKxdw_a4RQU46w?e=OtpfF3)

I do have a support log file from the device while it was in a non IKEd working state.

/Robert

Comments

Sign In to comment.