Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 multiple SAs, pfSense sends traffic through wrong SA.

    IPsec
    3
    4
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ljorgensen
      last edited by

      Hi,

      UPDATE: I found the problem and how to fix it. Cisco ASA does not support sending multiple SAs in the same TS payload. This was a known problem to the pfSense people (bug 4704) and a fix was implemented a while back. On the P1 settings "Split Connections" must be enabled. /UPDATE

      I'm establishing an IPsec site to site connection to a partner. We have defined four SAs. I'm on pfSense 2.3.2 and he's on Cisco ASA. When I have just one SA everything works fine, but as soon as I enable one more, pfSense selects the wrong one to put traffic in and communication fails.

      Oh his side his box tells him this:

      Nov  3 13:09:19 asa %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x48EF3D33, sequence number= 0x127) from 130.xxx.230.200 (user= 130.xxx.230.200) to 130.yyy.247.66.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 130.yyy.24.24, its source as 10.106.0.73, and its protocol as icmp.  The SA specifies its local proxy as 172.18.0.0/255.255.0.0/ip/0 and its remote_proxy as 10.5.0.0/255.255.252.0/ip/0.

      As you can see, pfSense sticks a packet from 10.106.0.73 to 130.yyy.24.24 into an SA specifying communication between 10.5.0.0/22 and 172.18.0.0/16.

      If I enable two SAs and run "ipsec status" in the CLI, I get this:

      
Shunted Connections:
   bypasslan:  10.106.0.0/22|/0 === 10.106.0.0/22|/0 PASS
Routed Connections:
        con2{2}:  ROUTED, TUNNEL, reqid 2
        con2{2}:   10.6.0.0/16|/0 10.106.0.0/22|/0 === 130.yyy.24.0/23|/0
Security Associations (1 up, 0 connecting):
        con2[2]: ESTABLISHED 7 seconds ago, 130.xxx.230.200[130.xxx.230.200]...130.yyy.247.66[130.yyy.247.66]
        con2{4}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c354b39f_i eabad672_o
        con2{4}:   10.6.0.0/16|/0 === 130.yyy.24.0/23|/0

      I don't claim to understand IPsec but shouldn't I see 10.106.0.0/22 in the last "con2{4}" line?

      1 Reply Last reply Reply Quote 1
      • K
        KDog
        last edited by

        Where is the "Split Connections" setting? I must be blind as I can't see it on either of the P1 or P2 pfsense settings.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          In the Phase 1 under Advanced Options.

          It only shows if IKEv2 is set because it's an IKEv2-only issue.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K
            KDog
            last edited by

            Thank you kindly. I had the Version set to auto (ASA set to IKEv2) so it wasn't appearing. Trying to debug some L2L ipsec issues currently with multiple child SA.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.