pfSense English Support > IPsec

[SOLVED] Multiple redundant Phase 2 SAs using IKEv2 with pfSense 2.3.3 and 2.4

(1/1)

Strider3000:
Using IKEv2 IPsec PSK to two different StrongSwan based endpoints (one is 4.5.2 the other is 5.3.0).
I'm seeing multiple redundant Phase 2 tunnel SAs.
The behavior is the same after testing with both pfsense 2.4 BETA and 2.3.3.

The Phase2 SAs just seem to continually build up. Traffic is flowing but I'm worried about eventual performance hits to the endpoints (embedded devices).
Any idea what could be causing this, or is this a known issue?
Seems very similar to this post here: https://forum.pfsense.org/index.php?topic=96412.msg537624

ipsec statusall logs attached.


--- Code: ---[2.3.3-RELEASE][admin@pfsense.localdomain]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 4 hours, since Jul 28 11:07:57 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Listening IP addresses:
  10.203.37.107
  172.16.7.1
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS
        con1:  10.203.37.107...10.203.37.1  IKEv2, dpddelay=10s
        con1:   local:  [10.203.37.107] uses pre-shared key authentication
        con1:   remote: [10.203.37.1] uses pre-shared key authentication
        con1:   child:  172.16.7.0/24|/0 === 192.168.10.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS
Routed Connections:
        con1{3}:  ROUTED, TUNNEL, reqid 1
        con1{3}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 99 minutes ago, 10.203.37.107[10.203.37.107]...10.203.37.1[10.203.37.1]
        con1[2]: IKEv2 SPIs: 24d6bec060d787bb_i* 8b65c166528b6e88_r, pre-shared key reauthentication in 62 minutes
        con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con1{11}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c783d13e_i cb7b9251_o
        con1{11}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 7644 bytes_i (91 pkts, 687s ago), 0 bytes_o, rekeying in 32 minutes
        con1{11}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{12}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf382907_i c64698fd_o
        con1{12}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 687s ago), 105336 bytes_o (693 pkts, 1s ago), rekeying in 34 minutes
        con1{12}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
--- End code ---


--- Code: ---[2.4.0-BETA][admin@pfsense2440.strider.home]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.2, FreeBSD 11.0-RELEASE-p11, amd64):
  uptime: 2 days, since Jul 25 15:18:20 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Listening IP addresses:
  <obfuscated>
  192.168.100.2
  10.177.0.1
  10.199.0.1
  192.168.0.112
  192.168.0.2
  10.188.0.1
  10.177.1.1
  10.177.1.33
  10.111.34.35
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.177.0.0/24|/0 === 10.177.0.0/24|/0 PASS
        con2:  <obfuscated>...<obfuscated>  IKEv2, dpddelay=10s
        con2:   local:  [<obfuscated>] uses pre-shared key authentication
        con2:   remote: [<obfuscated>] uses pre-shared key authentication
        con2:   child:  10.199.0.0/24|/0 === 172.16.3.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.177.0.0/24|/0 === 10.177.0.0/24|/0 PASS
Routed Connections:
        con2{19}:  ROUTED, TUNNEL, reqid 2
        con2{19}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
Security Associations (1 up, 0 connecting):
        con2[114]: ESTABLISHED 11 minutes ago, <obfuscated>[<obfuscated>]...<obfuscated>[<obfuscated>]
        con2[114]: IKEv2 SPIs: 535502e52015b595_i* 30c5681bdcdde317_r, pre-shared key reauthentication in 24 minutes
        con2[114]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
        con2{2873}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf18adc3_i c0cf9887_o
        con2{2873}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 35 minutes
        con2{2873}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2874}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c880d3c5_i cf2100c0_o
        con2{2874}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 32 minutes
        con2{2874}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2875}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c648e84a_i c92b7a80_o
        con2{2875}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 35 minutes
        con2{2875}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2876}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c214aa98_i c0b29b98_o
        con2{2876}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 34 minutes
        con2{2876}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2877}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cda1b2bf_i cf46adb2_o
        con2{2877}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes
        con2{2877}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2878}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c2bc5b2f_i c8e0f64f_o
        con2{2878}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 36 minutes
        con2{2878}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2879}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1e186f7_i c6c1a49d_o
        con2{2879}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 30 minutes
        con2{2879}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2880}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1974744_i cde88f24_o
        con2{2880}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 34 minutes
        con2{2880}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2881}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cebf17f4_i c18e586a_o
        con2{2881}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes
        con2{2881}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2882}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c17dc387_i c6a9afa5_o
        con2{2882}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 120 bytes_i (2 pkts, 0s ago), 0 bytes_o, rekeying in 31 minutes
        con2{2882}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2883}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce00e9fc_i cced69f0_o
        con2{2883}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 32 minutes
        con2{2883}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2884}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce212abf_i c701b7f6_o
        con2{2884}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 32 minutes
        con2{2884}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2885}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd1cae82_i c4324b84_o
        con2{2885}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 30 minutes
        con2{2885}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2886}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce9521ff_i c89e6c53_o
        con2{2886}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 60 bytes_i (1 pkt, 0s ago), 0 bytes_o, rekeying in 31 minutes
        con2{2886}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2887}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c53cae5e_i c7bb23f3_o
        con2{2887}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 3s ago), 0 bytes_o, rekeying in 36 minutes
        con2{2887}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
        con2{2888}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cb4d2f79_i c0079e88_o
        con2{2888}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 39180 bytes_i (653 pkts, 0s ago), 78360 bytes_o (653 pkts, 0s ago), rekeying in 34 minutes
        con2{2888}:   10.199.0.0/24|/0 === 172.16.3.0/24|/0
--- End code ---

Strider3000:
So I left the system running over the weekend.
Now there are more SAs than ever.
Any idea what this could be?
It also looks like sometime over the weekend that ICMP echo request replies stopped.


--- Code: ---[2.3.3-RELEASE][admin@pfsense.localdomain]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 3 days, since Jul 28 11:07:57 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Listening IP addresses:
  10.203.37.107
  172.16.7.1
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS
        con1:  10.203.37.107...10.203.37.1  IKEv2, dpddelay=10s
        con1:   local:  [10.203.37.107] uses pre-shared key authentication
        con1:   remote: [10.203.37.1] uses pre-shared key authentication
        con1:   child:  172.16.7.0/24|/0 === 192.168.10.0/24|/0 TUNNEL, dpdaction=restart
        con2:  10.203.37.107...10.203.37.101  IKEv2, dpddelay=10s
        con2:   local:  [10.203.37.107] uses pre-shared key authentication
        con2:   remote: [10.203.37.101] uses pre-shared key authentication
        con2:   child:  172.16.7.0/24|/0 === 172.16.1.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  172.16.7.0/24|/0 === 172.16.7.0/24|/0 PASS
Routed Connections:
        con2{16}:  ROUTED, TUNNEL, reqid 2
        con2{16}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con1{15}:  ROUTED, TUNNEL, reqid 1
        con1{15}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
Security Associations (2 up, 0 connecting):
        con2[55]: ESTABLISHED 2 hours ago, 10.203.37.107[10.203.37.107]...10.203.37.101[10.203.37.101]
        con2[55]: IKEv2 SPIs: c900ac18d6e1dcc2_i* 1e19e646faf6bd09_r, pre-shared key reauthentication in 28 minutes
        con2[55]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con2{2291}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cb793d7b_i cadcd977_o
        con2{2291}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active
        con2{2291}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2292}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cc71337d_i c2b5913e_o
        con2{2292}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active
        con2{2292}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2294}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c161c0e1_i cc1565a9_o
        con2{2294}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes
        con2{2294}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2295}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c6f29f78_i c9abaf3d_o
        con2{2295}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 84 bytes_i (1 pkt, 4s ago), 0 bytes_o, rekeying in 5 minutes
        con2{2295}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2296}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c5da44a0_i c678920b_o
        con2{2296}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 6 minutes
        con2{2296}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2297}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c734c761_i c4380451_o
        con2{2297}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying active
        con2{2297}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2298}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ceeeccc4_i c57a8671_o
        con2{2298}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 76280 bytes_i (599 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes
        con2{2298}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2299}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd3d17bb_i c6526ba4_o
        con2{2299}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes
        con2{2299}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2300}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0e672a5_i cf589229_o
        con2{2300}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 3 minutes
        con2{2300}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2301}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0901487_i cd7f660b_o
        con2{2301}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 68 seconds
        con2{2301}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2302}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbdaf820_i c91c0e3f_o
        con2{2302}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes
        con2{2302}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2303}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0bba62a_i c7d4a692_o
        con2{2303}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 8 minutes
        con2{2303}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2304}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c752dff4_i ce19ba25_o
        con2{2304}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes
        con2{2304}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2305}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c64a62e8_i c9a32ba5_o
        con2{2305}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes
        con2{2305}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2306}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf8c501d_i cab72eb5_o
        con2{2306}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 2 minutes
        con2{2306}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2307}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c9f08675_i ca4b311a_o
        con2{2307}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 5 minutes
        con2{2307}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2308}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c21ea6b8_i ce955b15_o
        con2{2308}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 4 minutes
        con2{2308}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2320}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c199b208_i ce5d0d49_o
        con2{2320}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 7 minutes
        con2{2320}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2323}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbf8d2e3_i c305e704_o
        con2{2323}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 8 minutes
        con2{2323}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2335}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0ee6cf5_i cb55fdf9_o
        con2{2335}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 46 minutes
        con2{2335}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2336}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbee9713_i cfd0688b_o
        con2{2336}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 0 bytes_o, rekeying in 42 minutes
        con2{2336}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con2{2337}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c103458b_i c4421ac6_o
        con2{2337}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 4s ago), 4384 bytes_o (26 pkts, 0s ago), rekeying in 48 minutes
        con2{2337}:   172.16.7.0/24|/0 === 172.16.1.0/24|/0
        con1[56]: ESTABLISHED 2 hours ago, 10.203.37.107[10.203.37.107]...10.203.37.1[10.203.37.1]
        con1[56]: IKEv2 SPIs: 97b06783dad44ef9_i* 811dd8f4ee0e155e_r, pre-shared key reauthentication in 32 minutes
        con1[56]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con1{2309}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbeeb658_i c9a193e7_o
        con1{2309}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes
        con1{2309}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2310}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cdac87d3_i c61a1b15_o
        con1{2310}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes
        con1{2310}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2311}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cfd4ad88_i cc98c802_o
        con1{2311}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes
        con1{2311}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2312}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd5ea438_i c2264f82_o
        con1{2312}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes
        con1{2312}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2313}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8fdc068_i c66e59d8_o
        con1{2313}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes
        con1{2313}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2314}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb24c0ea_i c553a3d5_o
        con1{2314}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes
        con1{2314}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2315}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8022b6e_i ce8986b1_o
        con1{2315}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 4 minutes
        con1{2315}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2316}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd47a74c_i c2e66010_o
        con1{2316}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes
        con1{2316}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2317}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c78c6dad_i c6943576_o
        con1{2317}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 6 minutes
        con1{2317}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2318}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d93ed5_i c1d6a21d_o
        con1{2318}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 5 minutes
        con1{2318}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2319}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c763125e_i cb70c334_o
        con1{2319}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 9 minutes
        con1{2319}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2321}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ad46a0_i ce7a7f56_o
        con1{2321}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 14 minutes
        con1{2321}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2322}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd29b268_i c3dc8722_o
        con1{2322}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes
        con1{2322}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2324}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce3e72c6_i c7a260b7_o
        con1{2324}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes
        con1{2324}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2325}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb2fda07_i c581d1ca_o
        con1{2325}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 7 minutes
        con1{2325}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2326}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c3a3e6c2_i c3bcc0b6_o
        con1{2326}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 8 minutes
        con1{2326}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2327}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb31c9f4_i cffef5e5_o
        con1{2327}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 14 minutes
        con1{2327}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2328}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c769a10b_i c744cd8c_o
        con1{2328}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 10 minutes
        con1{2328}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2329}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1cd5ec8_i ca86fca2_o
        con1{2329}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 11 minutes
        con1{2329}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2330}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb8b98ba_i c5458bd8_o
        con1{2330}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 12 minutes
        con1{2330}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2331}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd26e7ef_i c8960b9c_o
        con1{2331}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 12 minutes
        con1{2331}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2332}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c40cea51_i c87a8af7_o
        con1{2332}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 756 bytes_i (9 pkts, 1872s ago), 0 bytes_o, rekeying in 11 minutes
        con1{2332}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2333}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9d24abc_i c4a53093_o
        con1{2333}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 0 bytes_o, rekeying in 9 minutes
        con1{2333}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
        con1{2334}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c43c9f8a_i ce939250_o
        con1{2334}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i (0 pkts, 1872s ago), 287584 bytes_o (1892 pkts, 1s ago), rekeying in 15 minutes
        con1{2334}:   172.16.7.0/24|/0 === 192.168.10.0/24|/0
--- End code ---

Strider3000:
This is solved.
Turns out I didn't check "disable rekey" under the advanced config on the Phase 1 settings in pfsense.

Navigation

[0] Message Index

Go to full version