Child SA entries keep piling up
-
Hello,
I've spent several days trying to reestablish a IPSec VPN that worked briefly few days ago. I use pfSense 2.2, fresh install, IPSec v2, NAT-T, have forwarded to the pfSense machine UDP ports 500 and 4500 from the upstream firewall facing the Internet.
Phase 1 gets established without a glitch, Phase 2 as well. However, no traffic is passing, only child SA entries keep piling up at "Status: IPsec" screen. I've turned on all the diagnostic switches to Diag at the "advanced" tab. Log entries that seem a bit peculiar are:
- "received PF_KEY message with unexpected sequence number, was 0 expected 2234"
- "unable to query SAD entry with SPI caab875e: No such file or directory (2)".
Thanks, your help is much appreciated.
-
Hi,
do you use AES256+SHA1 ?
If so, please try it with aes256+sha256 and reset your fw states before reconnecting. -
Hey Hege,
thanks a lot for the advice. Yes, we use AES256+SHA1 combination. I'll give aes256+sha256 a go and get back with the info how it went. The other side of the tunnel is not under my control, so it might take a while.
-
Hey Hege,
It worked! Both Phase 1 and Phase 2 have been assigned aes256+sha256 and it stared to work immediately thereafter. Thank you very much.
Dookey
-
Do you have any hw acceleration active on your systems or this is just from plain software crypto ipsec?