IKEv2 multiple SAs, pfSense sends traffic through wrong SA.
-
Hi,
UPDATE: I found the problem and how to fix it. Cisco ASA does not support sending multiple SAs in the same TS payload. This was a known problem to the pfSense people (bug 4704) and a fix was implemented a while back. On the P1 settings "Split Connections" must be enabled. /UPDATE
I'm establishing an IPsec site to site connection to a partner. We have defined four SAs. I'm on pfSense 2.3.2 and he's on Cisco ASA. When I have just one SA everything works fine, but as soon as I enable one more, pfSense selects the wrong one to put traffic in and communication fails.
Oh his side his box tells him this:
Nov 3 13:09:19 asa %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x48EF3D33, sequence number= 0x127) from 130.xxx.230.200 (user= 130.xxx.230.200) to 130.yyy.247.66. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 130.yyy.24.24, its source as 10.106.0.73, and its protocol as icmp. The SA specifies its local proxy as 172.18.0.0/255.255.0.0/ip/0 and its remote_proxy as 10.5.0.0/255.255.252.0/ip/0.
As you can see, pfSense sticks a packet from 10.106.0.73 to 130.yyy.24.24 into an SA specifying communication between 10.5.0.0/22 and 172.18.0.0/16.
If I enable two SAs and run "ipsec status" in the CLI, I get this:
Shunted Connections: bypasslan: 10.106.0.0/22|/0 === 10.106.0.0/22|/0 PASS Routed Connections: con2{2}: ROUTED, TUNNEL, reqid 2 con2{2}: 10.6.0.0/16|/0 10.106.0.0/22|/0 === 130.yyy.24.0/23|/0 Security Associations (1 up, 0 connecting): con2[2]: ESTABLISHED 7 seconds ago, 130.xxx.230.200[130.xxx.230.200]...130.yyy.247.66[130.yyy.247.66] con2{4}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c354b39f_i eabad672_o con2{4}: 10.6.0.0/16|/0 === 130.yyy.24.0/23|/0
I don't claim to understand IPsec but shouldn't I see 10.106.0.0/22 in the last "con2{4}" line?
-
Where is the "Split Connections" setting? I must be blind as I can't see it on either of the P1 or P2 pfsense settings.
-
In the Phase 1 under Advanced Options.
It only shows if IKEv2 is set because it's an IKEv2-only issue.
-
Thank you kindly. I had the Version set to auto (ASA set to IKEv2) so it wasn't appearing. Trying to debug some L2L ipsec issues currently with multiple child SA.