[SOLVED] Multiple redundant Phase 2 SAs using IKEv2 with pfSense 2.3.3 and 2.4
-
Using IKEv2 IPsec PSK to two different StrongSwan based endpoints (one is 4.5.2 the other is 5.3.0).
I'm seeing multiple redundant Phase 2 tunnel SAs.
The behavior is the same after testing with both pfsense 2.4 BETA and 2.3.3.The Phase2 SAs just seem to continually build up. Traffic is flowing but I'm worried about eventual performance hits to the endpoints (embedded devices).
Any idea what could be causing this, or is this a known issue?
Seems very similar to this post here: https://forum.pfsense.org/index.php?topic=96412.msg537624ipsec statusall logs attached.
[2.3.3-RELEASE][admin@pfsense.localdomain]/root: ipsec statusall Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64): uptime: 4 hours, since Jul 28 11:07:57 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Listening IP addresses: 10.203.37.107 172.16.7.1 Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS con1: 10.203.37.107...10.203.37.1 IKEv2, dpddelay=10s con1: local: [10.203.37.107] uses pre-shared key authentication con1: remote: [10.203.37.1] uses pre-shared key authentication con1: child: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS Routed Connections: con1{3}: ROUTED, TUNNEL, reqid 1 con1{3}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 Security Associations (1 up, 0 connecting): con1[2]: ESTABLISHED 99 minutes ago, 10.203.37.107[10.203.37.107]...10.203.37.1[10.203.37.1] con1[2]: IKEv2 SPIs: 24d6bec060d787bb_i* 8b65c166528b6e88_r, pre-shared key reauthentication in 62 minutes con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 con1{11}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c783d13e_i cb7b9251_o con1{11}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 7644 bytes_i (91 pkts, 687s ago), 0 bytes_o, rekeying in 32 minutes con1{11}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf382907_i c64698fd_o con1{12}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 687s ago), 105336 bytes_o (693 pkts, 1s ago), rekeying in 34 minutes con1{12}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0
[2.4.0-BETA][admin@pfsense2440.strider.home]/root: ipsec statusall Status of IKE charon daemon (strongSwan 5.5.2, FreeBSD 11.0-RELEASE-p11, amd64): uptime: 2 days, since Jul 25 15:18:20 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Listening IP addresses: <obfuscated> 192.168.100.2 10.177.0.1 10.199.0.1 192.168.0.112 192.168.0.2 10.188.0.1 10.177.1.1 10.177.1.33 10.111.34.35 Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 10.177.0.0/24|/0 === 10.177.0.0/24|/0 PASS con2: <obfuscated>...<obfuscated> IKEv2, dpddelay=10s con2: local: [<obfuscated>] uses pre-shared key authentication con2: remote: [<obfuscated>] uses pre-shared key authentication con2: child: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 10.177.0.0/24|/0 === 10.177.0.0/24|/0 PASS Routed Connections: con2{19}: ROUTED, TUNNEL, reqid 2 con2{19}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 Security Associations (1 up, 0 connecting): con2[114]: ESTABLISHED 11 minutes ago, <obfuscated>[<obfuscated>]...<obfuscated>[<obfuscated>] con2[114]: IKEv2 SPIs: 535502e52015b595_i* 30c5681bdcdde317_r, pre-shared key reauthentication in 24 minutes con2[114]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 con2{2873}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf18adc3_i c0cf9887_o con2{2873}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 35 minutes con2{2873}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2874}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c880d3c5_i cf2100c0_o con2{2874}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 32 minutes con2{2874}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2875}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c648e84a_i c92b7a80_o con2{2875}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 35 minutes con2{2875}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2876}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c214aa98_i c0b29b98_o con2{2876}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 34 minutes con2{2876}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2877}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cda1b2bf_i cf46adb2_o con2{2877}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes con2{2877}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2878}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c2bc5b2f_i c8e0f64f_o con2{2878}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 36 minutes con2{2878}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2879}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1e186f7_i c6c1a49d_o con2{2879}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 30 minutes con2{2879}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2880}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1974744_i cde88f24_o con2{2880}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 34 minutes con2{2880}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2881}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cebf17f4_i c18e586a_o con2{2881}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes con2{2881}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2882}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c17dc387_i c6a9afa5_o con2{2882}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 120 bytes_i (2 pkts, 0s ago), 0 bytes_o, rekeying in 31 minutes con2{2882}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2883}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce00e9fc_i cced69f0_o con2{2883}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 32 minutes con2{2883}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2884}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce212abf_i c701b7f6_o con2{2884}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 32 minutes con2{2884}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2885}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd1cae82_i c4324b84_o con2{2885}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 30 minutes con2{2885}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2886}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce9521ff_i c89e6c53_o con2{2886}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes con2{2886}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2887}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c53cae5e_i c7bb23f3_o con2{2887}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 36 minutes con2{2887}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0 con2{2888}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cb4d2f79_i c0079e88_o con2{2888}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 39180 bytes_i (653 pkts, 0s ago), 78360 bytes_o (653 pkts, 0s ago), rekeying in 34 minutes con2{2888}: 10.199.0.0/24|/0 === 172.16.3.0/24|/0</obfuscated></obfuscated></obfuscated></obfuscated></obfuscated></obfuscated></obfuscated></obfuscated></obfuscated> ```[pfsense 2.3.3.txt](/public/_imported_attachments_/1/pfsense 2.3.3.txt) [pfsense 2.4.txt](/public/_imported_attachments_/1/pfsense 2.4.txt)
-
So I left the system running over the weekend.
Now there are more SAs than ever.
Any idea what this could be?
It also looks like sometime over the weekend that ICMP echo request replies stopped.[2.3.3-RELEASE][admin@pfsense.localdomain]/root: ipsec statusall Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64): uptime: 3 days, since Jul 28 11:07:57 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Listening IP addresses: 10.203.37.107 172.16.7.1 Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS con1: 10.203.37.107...10.203.37.1 IKEv2, dpddelay=10s con1: local: [10.203.37.107] uses pre-shared key authentication con1: remote: [10.203.37.1] uses pre-shared key authentication con1: child: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 TUNNEL, dpdaction=restart con2: 10.203.37.107...10.203.37.101 IKEv2, dpddelay=10s con2: local: [10.203.37.107] uses pre-shared key authentication con2: remote: [10.203.37.101] uses pre-shared key authentication con2: child: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS Routed Connections: con2{16}: ROUTED, TUNNEL, reqid 2 con2{16}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con1{15}: ROUTED, TUNNEL, reqid 1 con1{15}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 Security Associations (2 up, 0 connecting): con2[55]: ESTABLISHED 2 hours ago, 10.203.37.107[10.203.37.107]...10.203.37.101[10.203.37.101] con2[55]: IKEv2 SPIs: c900ac18d6e1dcc2_i* 1e19e646faf6bd09_r, pre-shared key reauthentication in 28 minutes con2[55]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 con2{2291}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cb793d7b_i cadcd977_o con2{2291}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active con2{2291}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2292}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cc71337d_i c2b5913e_o con2{2292}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active con2{2292}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2294}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c161c0e1_i cc1565a9_o con2{2294}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes con2{2294}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2295}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c6f29f78_i c9abaf3d_o con2{2295}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 84 bytes_i (1 pkt, 4s ago), 0 bytes_o, rekeying in 5 minutes con2{2295}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2296}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c5da44a0_i c678920b_o con2{2296}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 6 minutes con2{2296}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2297}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c734c761_i c4380451_o con2{2297}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active con2{2297}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2298}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: ceeeccc4_i c57a8671_o con2{2298}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 76280 bytes_i (599 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes con2{2298}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2299}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd3d17bb_i c6526ba4_o con2{2299}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes con2{2299}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2300}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0e672a5_i cf589229_o con2{2300}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes con2{2300}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2301}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0901487_i cd7f660b_o con2{2301}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 68 seconds con2{2301}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2302}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbdaf820_i c91c0e3f_o con2{2302}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes con2{2302}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2303}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0bba62a_i c7d4a692_o con2{2303}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 8 minutes con2{2303}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2304}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c752dff4_i ce19ba25_o con2{2304}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes con2{2304}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2305}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c64a62e8_i c9a32ba5_o con2{2305}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes con2{2305}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2306}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf8c501d_i cab72eb5_o con2{2306}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes con2{2306}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2307}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c9f08675_i ca4b311a_o con2{2307}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 5 minutes con2{2307}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2308}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c21ea6b8_i ce955b15_o con2{2308}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes con2{2308}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2320}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c199b208_i ce5d0d49_o con2{2320}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 7 minutes con2{2320}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2323}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbf8d2e3_i c305e704_o con2{2323}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 8 minutes con2{2323}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2335}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0ee6cf5_i cb55fdf9_o con2{2335}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 46 minutes con2{2335}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2336}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbee9713_i cfd0688b_o con2{2336}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 42 minutes con2{2336}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con2{2337}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c103458b_i c4421ac6_o con2{2337}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 4384 bytes_o (26 pkts, 0s ago), rekeying in 48 minutes con2{2337}: 172.16.7.0/24|/0 === 172.16.1.0/24|/0 con1[56]: ESTABLISHED 2 hours ago, 10.203.37.107[10.203.37.107]...10.203.37.1[10.203.37.1] con1[56]: IKEv2 SPIs: 97b06783dad44ef9_i* 811dd8f4ee0e155e_r, pre-shared key reauthentication in 32 minutes con1[56]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 con1{2309}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbeeb658_i c9a193e7_o con1{2309}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes con1{2309}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2310}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cdac87d3_i c61a1b15_o con1{2310}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes con1{2310}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2311}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cfd4ad88_i cc98c802_o con1{2311}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes con1{2311}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2312}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd5ea438_i c2264f82_o con1{2312}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes con1{2312}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2313}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8fdc068_i c66e59d8_o con1{2313}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes con1{2313}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2314}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb24c0ea_i c553a3d5_o con1{2314}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes con1{2314}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2315}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8022b6e_i ce8986b1_o con1{2315}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes con1{2315}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2316}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd47a74c_i c2e66010_o con1{2316}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes con1{2316}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2317}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c78c6dad_i c6943576_o con1{2317}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes con1{2317}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2318}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d93ed5_i c1d6a21d_o con1{2318}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 5 minutes con1{2318}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2319}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c763125e_i cb70c334_o con1{2319}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 9 minutes con1{2319}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2321}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ad46a0_i ce7a7f56_o con1{2321}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 14 minutes con1{2321}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2322}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd29b268_i c3dc8722_o con1{2322}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes con1{2322}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2324}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce3e72c6_i c7a260b7_o con1{2324}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes con1{2324}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2325}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb2fda07_i c581d1ca_o con1{2325}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 7 minutes con1{2325}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2326}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c3a3e6c2_i c3bcc0b6_o con1{2326}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes con1{2326}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2327}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb31c9f4_i cffef5e5_o con1{2327}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 14 minutes con1{2327}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2328}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c769a10b_i c744cd8c_o con1{2328}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes con1{2328}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2329}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1cd5ec8_i ca86fca2_o con1{2329}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 11 minutes con1{2329}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2330}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb8b98ba_i c5458bd8_o con1{2330}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 12 minutes con1{2330}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2331}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd26e7ef_i c8960b9c_o con1{2331}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 12 minutes con1{2331}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2332}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c40cea51_i c87a8af7_o con1{2332}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 756 bytes_i (9 pkts, 1872s ago), 0 bytes_o, rekeying in 11 minutes con1{2332}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2333}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9d24abc_i c4a53093_o con1{2333}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 9 minutes con1{2333}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0 con1{2334}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c43c9f8a_i ce939250_o con1{2334}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 287584 bytes_o (1892 pkts, 1s ago), rekeying in 15 minutes con1{2334}: 172.16.7.0/24|/0 === 192.168.10.0/24|/0
-
This is solved.
Turns out I didn't check "disable rekey" under the advanced config on the Phase 1 settings in pfsense.