Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.1 multiple SAs and SPIs

    Scheduled Pinned Locked Moved IPsec
    12 Posts 6 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SuperSpy
      last edited by

      I've noticed this as well, and the only thing that seems to work is manually killing the extra SA's.  I've been mucking with settings for a few hours now without much luck finding a self-correcting solution.

      1 Reply Last reply Reply Quote 0
      • K
        kitdavis
        last edited by

        From the other end of the connection I see the following that results in the numerous SAs/SPIs:

        Mar 23 18:49:11 racoon: INFO: purged ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5.
        Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=43140126.
        Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=43140126, hmmmm?
        Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=5593773.
        Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=5593773, hmmmm?
        Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=45729866.
        Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=45729866, hmmmm?
        Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=162775757.
        Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=162775757, hmmmm?
        Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=3237879351.
        Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=3237879351, hmmmm?
        Mar 23 18:49:11 racoon: INFO: purging ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5.
        Mar 23 18:49:11 racoon: [ssss Yyyy]: [69.69.69.69] INFO: DPD: remote (ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5) seems to be dead.
        Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: IPsec-SA established: ESP 142.142.142.142[500]->69.69.69.69[500] spi=3485970490(0xcfc7b03a)
        Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: IPsec-SA established: ESP 142.142.142.142[500]->69.69.69.69[500] spi=140179270(0x85af746)
        Mar 23 18:48:54 racoon: ERROR: not matched
        Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: respond new phase 2 negotiation: 142.142.142.142[500]<=>69.69.69.69[500]

        1 Reply Last reply Reply Quote 0
        • C
          csrtpres
          last edited by

          So we had this problem and changed to IKE v 2 and that has solved the multiple SA's.

          1 Reply Last reply Reply Quote 0
          • K
            kitdavis
            last edited by

            I suspect that if PFSense is at v 2.2.1 on both ends the problem might not exist, but, at least in my case, I'm working with a bunch of end points that are still on 2.1.5 and racoon does not support IKEv2.

            1 Reply Last reply Reply Quote 0
            • K
              kitdavis
              last edited by

              I have discovered that if the connection is interrupted for long enough the tunnels will be rebuilt.    I have IPSEC connections to 15 end points.  From a fresh restart the connections are all established and traffic flows with no problems.    However, if the connection is briefly interrupted or the rekey period is reached, additional child SA entries are created and while the status of the connections is "green lighted" traffice no long can pass through the connection.  Additional SA entries continue to be created (I have seen as many as 16 duplicate child entries).  At first, I would restart PFSense and the connections would be restored.  Then I discovered that merely stopping and restarting the IPSEC task would restore the connections.  But, it also appears that if the connection drops for a longer period of time, charon restarts the ipsec tunnels and traffic flows again.

              Charon floods the ipsec log with messages when the connection problem occurs,  but in the general log I see the following events in sequence.

              check_reload_status: Syncing firewall    (the problem begins)
              kernel: key_get: no SA found.  (message is repeated 50 - 100 times)    (traffic stops flowing)
              kernel: key_delete: no SA found
              kernel: key_get: no SA found.  (message is repeated 50 - 100 times)
                (sequence repeats itself)

              php-fpm[4818]: /rc.newipsecdns: MONITOR: GW has packet loss, omitting from routing group GWGroup1    (connectivity is lost)
              check_reload_status: Restarting ipsec tunnels    (connection is re-established, tunnels begin passing traffic)

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @kitdavis:

                Charon floods the ipsec log with messages when the connection problem occurs,  but in the general log I see the following events in sequence.

                The log noise there is just because I left debug logging for IPsec cranked up on your system. That's under System>Advanced, Tunables, net.inet.ipsec.debug. You can delete that if you want to get rid of the excessive noise.

                I suspect your root problem, and anyone else's who's seeing rekeying issues is:
                https://forum.pfsense.org/index.php?topic=91627.0

                1 Reply Last reply Reply Quote 0
                • K
                  kitdavis
                  last edited by

                  Thanks - I figured it was a "left behind setting" and I searched for some time to find it to no avail.  I made the OLDSA entry and expect to be reporting shortly that it has resolved the IPSEC issue.  Thanks again.

                  1 Reply Last reply Reply Quote 0
                  • S
                    SuperSpy
                    last edited by

                    @cmb:

                    I suspect your root problem, and anyone else's who's seeing rekeying issues is:
                    https://forum.pfsense.org/index.php?topic=91627.0

                    This did indeed resolve all my IPSec tunnel issues.  Thanks for the heads-up. 8)

                    1 Reply Last reply Reply Quote 0
                    • B
                      brevilo
                      last edited by

                      @cmb:

                      I suspect your root problem, and anyone else's who's seeing rekeying issues is:
                      https://forum.pfsense.org/index.php?topic=91627.0

                      I'm still having connection issues after rekeying (incl. multiple SAs) with 2.2.5 at both ends. I understood that the workaround above shouldn't be required anymore. Is it sill?

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        @brevilo:

                        I'm still having connection issue after rekeying (incl. multiple SAs) with 2.2.5 at both ends. I understood that the workaround above shouldn't be required anymore. Is it sill?

                        No it's not. There are no longer any general issues along those lines (though any number of config issues could potentially result in symptoms like that). Start a new thread describing what you're seeing, and what your logs show.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.