Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packets routed via wrong SA

    Scheduled Pinned Locked Moved IPsec
    11 Posts 7 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drumscum
      last edited by

      Using pfSense 2.2 I have the following setup:

      A phase 1 tunnel with a remote site.

      Two phase 2 SAs for the following subnets:
      Local 172.16.61.5/32 <> Remote 10.45.69.151/32
      Local 172.16.60.24/32 <> Remote 192.168.180.161/32

      For some reason packets meant to go over one SA are routed via the other SA and vice versa:

      
# ipsec status
     con4000[4]: ESTABLISHED 29 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
     con4000{2}:  INSTALLED, TUNNEL, ESP SPIs: c45bc3ea_i af344699_o
     con4000{2}:   172.16.61.5/32|/0 === 10.45.69.151/32|/0 
     con4001{2}:  INSTALLED, TUNNEL, ESP SPIs: c1a12a27_i e4d9e8a3_o
     con4001{2}:   172.16.60.24/32|/0 === 192.168.180.161/32|/0


      
# tcpdump -i enc0 host 172.16.61.5
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
12:29:14.393601 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60836: Flags [S.], seq 3422383654, ack 2309105762, win 5840, options [mss 1460], length 0
12:29:15.593016 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60841: Flags [S.], seq 3457032375, ack 463644671, win 5840, options [mss 1460], length 0
12:29:18.191782 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60845: Flags [S.], seq 3462681080, ack 2062812969, win 5840, options [mss 1460], length 0
12:29:18.391628 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60837: Flags [S.], seq 3435472588, ack 2304079740, win 5840, options [mss 1460], length 0
12:29:18.391684 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60844: Flags [S.], seq 3472207278, ack 2848317998, win 5840, options [mss 1460], length 0
12:29:19.008005 (authentic,confidential): SPI 0xc45bc3ea: IP 10.45.69.151.60846 > 172.16.61.5.5402: Flags [s], seq 2813245398, win 65535, options [mss 1460], length 0
12:29:19.008286 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60846: Flags [S.], seq 3468957011, ack 2813245399, win 5840, options [mss 1460], length 0
12:29:21.190329 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60842: Flags [S.], seq 3449808325, ack 781635331, win 5840, options [mss 1460], length 0
12:29:22.789596 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60846: Flags [S.], seq 3468957011, ack 2813245399, win 5840, options [mss 1460], length 0
12:29:24.106431 (authentic,confidential): SPI 0xc45bc3ea: IP 10.45.69.151.60847 > 172.16.61.5.5402: Flags [s], seq 1967001799, win 65535, options [mss 1460], length 0
12:29:24.106759 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60847: Flags [S.], seq 3478870357, ack 1967001800, win 5840, options [mss 1460], length 0
12:29:24.188918 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60845: Flags [S.], seq 3462681080, ack 2062812969, win 5840, options [mss 1460], length 0
12:29:24.788650 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60838: Flags [S.], seq 3432396299, ack 2638216950, win 5840, options [mss 1460], length 0
12:29:26.187985 (authentic,confidential): SPI 0xe4d9e8a3: IP 172.16.61.5.5402 > 10.45.69.151.60843: Flags [S.], seq 3456757893, ack 1621331004, win 5840, options [mss 1460], length 0
^C
14 packets captured
115238 packets received by filter
0 packets dropped by kernel

As you can see, the outgoing packets (from 172.16.61.5 to 10.45.69.151) use the SPI e4d9e8a3, which actually is from the SA for 172.16.60.24/32 <> 192.168.180.161\. As such, the packets never arrive at the host they are meant for.

Does anyone knows what might be going on here?
[/s][/s]
      1 Reply Last reply Reply Quote 0
      • D
        drumscum
        last edited by

        Also getting messages like this in the ipsec log:

        
[2.2-RELEASE][admin@host]/root: tail /var/log/ipsec.log
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 76734d7b: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c0c56638: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI a0051ff3: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c090e773: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 3161f151: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c9dfdbcd: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI b3d4b923: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c62982f6: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 22961c61: No such file or directory (2)
        1 Reply Last reply Reply Quote 0
        • J
          joegeorge
          last edited by

          Any luck with this?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Give a 2.2.3 snapshot a try.
            https://snapshots.pfsense.org/

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              I believe these circumstances were largely resolved in 2.2.2, though the reqid bug in strongswan 5.3.0 could cause other issues there. 2.2.3 is definitely what you'll want to try if you're hitting this circumstance. Please let us know your results in testing ASAP, as we're nearing release.

              1 Reply Last reply Reply Quote 0
              • J
                joegeorge
                last edited by

                I can't update to the snapshot, it's a production device. Sorry.

                1 Reply Last reply Reply Quote 0
                • D
                  djamp42
                  last edited by

                  I am running into this exact same problem. I am running 2.2.5 AMD64 (IKEv1) and my packets are being sent with the wrong SPI.

                  I have a Site to Site tunnel with 2 subnets.

                  My packets are leaving pfsense with the wrong SPI, They have the SPI of my other subnet.

                  I have tried knocking the tunnel down and up, and doesn't seem to help. I have not restarted ipsec due to other tunnels working fine.

                  1 Reply Last reply Reply Quote 0
                  • D
                    djamp42
                    last edited by

                    I found that whatever p2 subnet comes up first, is the one that it works, and pfsense uses that SPI for all traffic to the remote subnet.

                    The other end is a Cisco ASA 5505 v8.2(5)59. I can see traffic leaving with the correct SPI on the ASA side.

                    1 Reply Last reply Reply Quote 0
                    • L
                      ljorgensen
                      last edited by

                      This is exactly what I'm seeing in 2.3.2. Did you solve it?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Probably an issue with the ASA. Try enabling split connections in the Phase 1.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • L
                          ljorgensen
                          last edited by

                          That's exactly what it was. ASA does not support sending multiple SAs in the same TS payload.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.