Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense creating multiple P2 (child SA) entries

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 913 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vijay0070
      last edited by

      We have been having an issue with the IKEv2 protocol creating multiple child SA (p2) entries everytime the lifetime is renewed.

      We have observed this issue with both the Pfsense version 2.4.3-RELEASE-p1 (amd64) & v2.3.5.

      This is a site-to-site IPsec VPN setup between pfSense to Strongswan. The Strongswan is located in the Amazon Ec2 instance using Amazon Linux 2 OS.(StrongSwan U5.6.3/K4.14.62-70.117.amzn2.x86_64)

      Attaching the configuration & logs of both the ends. 6_1542901656440_Phase1_Part1.png 5_1542901656440_Phase1_Part2.png 4_1542901656440_Phase2_Part 2.png 3_1542901656440_VPN_IPsec.png 2_1542901656440_Phase 2_Part1.png 1_1542901656439_IPSec status.png 0_1542901656437_Strongswan configuration.png
      0_1542902059807_Pfsense Ipsec Logs.txt
      0_1542902084215_Strongswan Logs.txt.gz

      PS: The Public IP mentioned in the logs will is not the original one as I have changed it for security reasons.

      1 Reply Last reply Reply Quote 0
      • V
        vijay0070
        last edited by

        Hey guys,

        We still continue to have the problem. Can you please help?

        Regards,
        Vijay Rao

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          They are rekeyed tunnels. They are harmless.

          They are kept around in case the other side sends traffic for the old SA, which sometimes happens with some IPsec implementations.

          They are visible there for the time between the rekey and the full lifetime expiration.

          Are you experiencing actual traffic flow issues or do you just not like to see them listed?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.