IKEv2 multiple SAs, pfSense sends traffic through wrong SA.

  • Hi,

    UPDATE: I found the problem and how to fix it. Cisco ASA does not support sending multiple SAs in the same TS payload. This was a known problem to the pfSense people (bug 4704) and a fix was implemented a while back. On the P1 settings "Split Connections" must be enabled. /UPDATE

    I'm establishing an IPsec site to site connection to a partner. We have defined four SAs. I'm on pfSense 2.3.2 and he's on Cisco ASA. When I have just one SA everything works fine, but as soon as I enable one more, pfSense selects the wrong one to put traffic in and communication fails.

    Oh his side his box tells him this:

    Nov  3 13:09:19 asa %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x48EF3D33, sequence number= 0x127) from 130.xxx.230.200 (user= 130.xxx.230.200) to 130.yyy.247.66.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 130.yyy.24.24, its source as, and its protocol as icmp.  The SA specifies its local proxy as and its remote_proxy as

    As you can see, pfSense sticks a packet from to 130.yyy.24.24 into an SA specifying communication between and

    If I enable two SAs and run "ipsec status" in the CLI, I get this:

    Shunted Connections:
       bypasslan:|/0 ===|/0 PASS
    Routed Connections:
            con2{2}:  ROUTED, TUNNEL, reqid 2
            con2{2}:|/0|/0 === 130.yyy.24.0/23|/0
    Security Associations (1 up, 0 connecting):
            con2[2]: ESTABLISHED 7 seconds ago, 130.xxx.230.200[130.xxx.230.200]...130.yyy.247.66[130.yyy.247.66]
            con2{4}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c354b39f_i eabad672_o
            con2{4}:|/0 === 130.yyy.24.0/23|/0

    I don't claim to understand IPsec but shouldn't I see in the last "con2{4}" line?

  • Where is the "Split Connections" setting? I must be blind as I can't see it on either of the P1 or P2 pfsense settings.

  • LAYER 8 Netgate

    In the Phase 1 under Advanced Options.

    It only shows if IKEv2 is set because it's an IKEv2-only issue.

  • Thank you kindly. I had the Version set to auto (ASA set to IKEv2) so it wasn't appearing. Trying to debug some L2L ipsec issues currently with multiple child SA.

Log in to reply