Child SA entries keep piling up
I've spent several days trying to reestablish a IPSec VPN that worked briefly few days ago. I use pfSense 2.2, fresh install, IPSec v2, NAT-T, have forwarded to the pfSense machine UDP ports 500 and 4500 from the upstream firewall facing the Internet.
Phase 1 gets established without a glitch, Phase 2 as well. However, no traffic is passing, only child SA entries keep piling up at "Status: IPsec" screen. I've turned on all the diagnostic switches to Diag at the "advanced" tab. Log entries that seem a bit peculiar are:
- "received PF_KEY message with unexpected sequence number, was 0 expected 2234"
- "unable to query SAD entry with SPI caab875e: No such file or directory (2)".
Thanks, your help is much appreciated.
do you use AES256+SHA1 ?
If so, please try it with aes256+sha256 and reset your fw states before reconnecting.
thanks a lot for the advice. Yes, we use AES256+SHA1 combination. I'll give aes256+sha256 a go and get back with the info how it went. The other side of the tunnel is not under my control, so it might take a while.
It worked! Both Phase 1 and Phase 2 have been assigned aes256+sha256 and it stared to work immediately thereafter. Thank you very much.
Do you have any hw acceleration active on your systems or this is just from plain software crypto ipsec?