Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Child SA entries keep piling up

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dookey
      last edited by

      Hello,

      I've spent several days trying to reestablish a IPSec VPN that worked briefly few days ago. I use pfSense 2.2, fresh install, IPSec v2, NAT-T, have forwarded to the pfSense machine UDP ports 500 and 4500 from the upstream firewall facing the Internet.

      Phase 1 gets established without a glitch, Phase 2 as well. However, no traffic is passing, only child SA entries keep piling up at "Status: IPsec" screen. I've turned on all the diagnostic switches to Diag at the "advanced" tab. Log entries that seem a bit peculiar are:

      • "received PF_KEY message with unexpected sequence number, was 0 expected 2234"
      • "unable to query SAD entry with SPI caab875e: No such file or directory (2)".

      Thanks, your help is much appreciated.

      1 Reply Last reply Reply Quote 0
      • H
        hege
        last edited by

        Hi,

        do you use AES256+SHA1 ?
        If so, please try it with aes256+sha256 and reset your fw states before reconnecting.

        1 Reply Last reply Reply Quote 0
        • D
          dookey
          last edited by

          Hey Hege,

          thanks a lot for the advice. Yes, we use AES256+SHA1 combination. I'll give aes256+sha256 a go and get back with the info how it went. The other side of the tunnel is not under my control, so it might take a while.

          1 Reply Last reply Reply Quote 0
          • D
            dookey
            last edited by

            Hey Hege,

            It worked! Both Phase 1 and Phase 2 have been assigned aes256+sha256 and it stared to work immediately thereafter. Thank you very much.

            Dookey

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Do you have any hw acceleration active on your systems or this is just from plain software crypto ipsec?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.