Multiple IPsec Security Parameter Index entries listed under IPsec: SAD
-
Hi,
I am having trouble getting a stable VPN tunnel between a peer firewall and pfSense. The only was I can get this to be stable is by configuring pfSense to be a responder only and to also disable rekey. If I have the 2 enabled it breaks the tunnel. The problem I am now facing is there are multiple SPI entries under the SAD - as per the below. It seems a new SPI is created everytime the IPsec SA is renegotiated, but pfSense is not clearing the old ones for some reason. Consequently, the SAD gets larger and larger.
Source ▾ Destination Protocol SPI Enc. alg. Auth. alg. Data 82.70.8.X 88.98.49.X ESP cc4d8754 3des-cbc hmac-sha1 17026 B delete 82.70.8.X 88.98.49.X ESP c491f3de 3des-cbc hmac-sha1 26104 B delete 82.70.8.X 88.98.49.X ESP c425d812 3des-cbc hmac-sha1 29130 B delete 88.98.49.X 92.18.158.X ESP 6e2806ea 3des-cbc hmac-sha1 11880 B delete 88.98.49.X 82.70.8.X ESP a5459684 3des-cbc hmac-sha1 21824 B delete 88.98.49.X 82.70.8.X ESP a5459686 3des-cbc hmac-sha1 12512 B delete 88.98.49.X 82.70.8.X ESP a5459685 3des-cbc hmac-sha1 21472 B delete 88.98.49.X 92.18.158.X ESP 6e2806e9 3des-cbc hmac-sha1 22000 B delete 88.98.49.X 92.18.158.X ESP 6e2806e8 3des-cbc hmac-sha1 20856 B delete 92.18.158.X 88.98.49.X ESP c98581ac 3des-cbc hmac-sha1 7020 B delete 92.18.158.X 88.98.49.X ESP c29b1493 3des-cbc hmac-sha1 13000 B delete 92.18.158.X 88.98.49.X ESP c8e84128 3des-cbc hmac-sha1 12324 B delete
Can I please check a couple of things.
-
I take it, it's not normal behaviour to have multiple SPIs for each peer?
-
Is there any way of my automatically clearing these SPIs without having to uncheck responder only or disable rekey?
This has been driving me mad for over a week now, and now I have finally got a stable connection, I am facing this issue. Just to confirm, I have tried enabling net.key.preferred_oldsa but this only causes the tunnel to drop.
I would really appreciate if anyone could offer any guidnce with this as I am running out of options here.
Thank you in advance!
Jonathan.
-