Packets routed via wrong SA
-
Also getting messages like this in the ipsec log:
[2.2-RELEASE][admin@host]/root: tail /var/log/ipsec.log Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 76734d7b: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c0c56638: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI a0051ff3: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c090e773: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 3161f151: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c9dfdbcd: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI b3d4b923: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c62982f6: No such file or directory (2) Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 22961c61: No such file or directory (2)
-
Any luck with this?
-
Give a 2.2.3 snapshot a try.
https://snapshots.pfsense.org/ -
I believe these circumstances were largely resolved in 2.2.2, though the reqid bug in strongswan 5.3.0 could cause other issues there. 2.2.3 is definitely what you'll want to try if you're hitting this circumstance. Please let us know your results in testing ASAP, as we're nearing release.
-
I can't update to the snapshot, it's a production device. Sorry.
-
I am running into this exact same problem. I am running 2.2.5 AMD64 (IKEv1) and my packets are being sent with the wrong SPI.
I have a Site to Site tunnel with 2 subnets.
My packets are leaving pfsense with the wrong SPI, They have the SPI of my other subnet.
I have tried knocking the tunnel down and up, and doesn't seem to help. I have not restarted ipsec due to other tunnels working fine.
-
I found that whatever p2 subnet comes up first, is the one that it works, and pfsense uses that SPI for all traffic to the remote subnet.
The other end is a Cisco ASA 5505 v8.2(5)59. I can see traffic leaving with the correct SPI on the ASA side.
-
This is exactly what I'm seeing in 2.3.2. Did you solve it?
-
Probably an issue with the ASA. Try enabling split connections in the Phase 1.
-
That's exactly what it was. ASA does not support sending multiple SAs in the same TS payload.