Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple IPsec Security Parameter Index entries listed under IPsec: SAD

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonathanbaird
      last edited by

      Hi,

      I am having trouble getting a stable VPN tunnel between a peer firewall and pfSense. The only was I can get this to be stable is by configuring pfSense to be a responder only and to also disable rekey. If I have the 2 enabled it breaks the tunnel. The problem I am now facing is there are multiple SPI entries under the SAD - as per the below. It seems a new SPI is created everytime the IPsec SA is renegotiated, but pfSense is not clearing the old ones for some reason. Consequently, the SAD gets larger and larger.

      Source ▾	Destination	Protocol	SPI	Enc. alg.	Auth. alg.	Data	
      82.70.8.X	88.98.49.X	ESP	cc4d8754	3des-cbc	hmac-sha1	17026 B	 delete
      82.70.8.X	88.98.49.X	ESP	c491f3de	3des-cbc	hmac-sha1	26104 B	 delete
      82.70.8.X	88.98.49.X	ESP	c425d812	3des-cbc	hmac-sha1	29130 B	 delete
      88.98.49.X	92.18.158.X	ESP	6e2806ea	3des-cbc	hmac-sha1	11880 B	 delete
      88.98.49.X	82.70.8.X	ESP	a5459684	3des-cbc	hmac-sha1	21824 B	 delete
      88.98.49.X	82.70.8.X	ESP	a5459686	3des-cbc	hmac-sha1	12512 B	 delete
      88.98.49.X	82.70.8.X	ESP	a5459685	3des-cbc	hmac-sha1	21472 B	 delete
      88.98.49.X	92.18.158.X	ESP	6e2806e9	3des-cbc	hmac-sha1	22000 B	 delete
      88.98.49.X	92.18.158.X	ESP	6e2806e8	3des-cbc	hmac-sha1	20856 B	 delete
      92.18.158.X	88.98.49.X	ESP	c98581ac	3des-cbc	hmac-sha1	7020 B	 delete
      92.18.158.X	88.98.49.X	ESP	c29b1493	3des-cbc	hmac-sha1	13000 B	 delete
      92.18.158.X	88.98.49.X	ESP	c8e84128	3des-cbc	hmac-sha1	12324 B  delete
      

      Can I please check a couple of things.

      • I take it, it's not normal behaviour to have multiple SPIs for each peer?

      • Is there any way of my automatically clearing these SPIs without having to uncheck responder only or disable rekey?

      This has been driving me mad for over a week now, and now I have finally got a stable connection, I am facing this issue. Just to confirm, I have tried enabling net.key.preferred_oldsa but this only causes the tunnel to drop.

      I would really appreciate if anyone could offer any guidnce with this as I am running out of options here.

      Thank you in advance!

      Jonathan.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.