Hundreds of IPSEC SA's with pfSense & Check Point VPN



  • I have an IKEv2 IPSEC VPN setup between a pfSense box and a Check Point appliance. On the pfSense end (local) I have one Phase2 defined that has their network summary for remote network (there are multiple subnets within that summary on the remote end). On the Check Point's end, the VPN community (or Phase2 remote network) is basically 10.0.0.0/8 and 192.168.0.0/16. Right now it has 537 IPSEC SA's established. After a while, it will drop back down to 10 and start going up again.

    The connection was dropping a lot so I enabled "Initiate IKEv2 reauthentication with a make-before-break." Also have "Enable MSS clamping on VPN traffic" checked. On the Check Point end, I have one tunnel per gateway pair enabled.

    Any ideas on what would be causing the huge numbers of IPSEC SAs?


Log in to reply