2.2.1 multiple SAs and SPIs
-
I've noticed this as well, and the only thing that seems to work is manually killing the extra SA's. I've been mucking with settings for a few hours now without much luck finding a self-correcting solution.
-
From the other end of the connection I see the following that results in the numerous SAs/SPIs:
Mar 23 18:49:11 racoon: INFO: purged ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5.
Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=43140126.
Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=43140126, hmmmm?
Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=5593773.
Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=5593773, hmmmm?
Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=45729866.
Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=45729866, hmmmm?
Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=162775757.
Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=162775757, hmmmm?
Mar 23 18:49:11 racoon: INFO: purged IPsec-SA spi=3237879351.
Mar 23 18:49:11 racoon: INFO: Unknown IPsec-SA spi=3237879351, hmmmm?
Mar 23 18:49:11 racoon: INFO: purging ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5.
Mar 23 18:49:11 racoon: [ssss Yyyy]: [69.69.69.69] INFO: DPD: remote (ISAKMP-SA spi=ba3f2feec326295d:6b4b6d4ddae781e5) seems to be dead.
Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: IPsec-SA established: ESP 142.142.142.142[500]->69.69.69.69[500] spi=3485970490(0xcfc7b03a)
Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: IPsec-SA established: ESP 142.142.142.142[500]->69.69.69.69[500] spi=140179270(0x85af746)
Mar 23 18:48:54 racoon: ERROR: not matched
Mar 23 18:48:54 racoon: [ssss Yyyy]: INFO: respond new phase 2 negotiation: 142.142.142.142[500]<=>69.69.69.69[500] -
So we had this problem and changed to IKE v 2 and that has solved the multiple SA's.
-
I suspect that if PFSense is at v 2.2.1 on both ends the problem might not exist, but, at least in my case, I'm working with a bunch of end points that are still on 2.1.5 and racoon does not support IKEv2.
-
I have discovered that if the connection is interrupted for long enough the tunnels will be rebuilt. I have IPSEC connections to 15 end points. From a fresh restart the connections are all established and traffic flows with no problems. However, if the connection is briefly interrupted or the rekey period is reached, additional child SA entries are created and while the status of the connections is "green lighted" traffice no long can pass through the connection. Additional SA entries continue to be created (I have seen as many as 16 duplicate child entries). At first, I would restart PFSense and the connections would be restored. Then I discovered that merely stopping and restarting the IPSEC task would restore the connections. But, it also appears that if the connection drops for a longer period of time, charon restarts the ipsec tunnels and traffic flows again.
Charon floods the ipsec log with messages when the connection problem occurs, but in the general log I see the following events in sequence.
check_reload_status: Syncing firewall (the problem begins)
kernel: key_get: no SA found. (message is repeated 50 - 100 times) (traffic stops flowing)
kernel: key_delete: no SA found
kernel: key_get: no SA found. (message is repeated 50 - 100 times)
(sequence repeats itself)php-fpm[4818]: /rc.newipsecdns: MONITOR: GW has packet loss, omitting from routing group GWGroup1 (connectivity is lost)
check_reload_status: Restarting ipsec tunnels (connection is re-established, tunnels begin passing traffic) -
Charon floods the ipsec log with messages when the connection problem occurs, but in the general log I see the following events in sequence.
The log noise there is just because I left debug logging for IPsec cranked up on your system. That's under System>Advanced, Tunables, net.inet.ipsec.debug. You can delete that if you want to get rid of the excessive noise.
I suspect your root problem, and anyone else's who's seeing rekeying issues is:
https://forum.pfsense.org/index.php?topic=91627.0 -
Thanks - I figured it was a "left behind setting" and I searched for some time to find it to no avail. I made the OLDSA entry and expect to be reporting shortly that it has resolved the IPSEC issue. Thanks again.
-
@cmb:
I suspect your root problem, and anyone else's who's seeing rekeying issues is:
https://forum.pfsense.org/index.php?topic=91627.0This did indeed resolve all my IPSec tunnel issues. Thanks for the heads-up. 8)
-
@cmb:
I suspect your root problem, and anyone else's who's seeing rekeying issues is:
https://forum.pfsense.org/index.php?topic=91627.0I'm still having connection issues after rekeying (incl. multiple SAs) with 2.2.5 at both ends. I understood that the workaround above shouldn't be required anymore. Is it sill?
Thanks
-
I'm still having connection issue after rekeying (incl. multiple SAs) with 2.2.5 at both ends. I understood that the workaround above shouldn't be required anymore. Is it sill?
No it's not. There are no longer any general issues along those lines (though any number of config issues could potentially result in symptoms like that). Start a new thread describing what you're seeing, and what your logs show.