What is the cause of duplicate SA's and SPD's in IPSec L2L VPN?

Question

Although I've been using pfSense now for some time and like it very much, I haven't been able to shake duplicate SA's. I've checked all the obvious stuff - making sure configurations match on both ends - and yet they persist. I've tried preferring older SA's, not preferring older SA's, turning on debug mode, etc - all in vain. Instead of toying around with the settings further, I would rather like to know what causes duplicate SA's so that I might have better insight into have to fix them.

Also, I would like to know if anyone has a fool-proof way to reset a particular IPSec SA (and corresponding SPD's) in pfSense. Just disabling/enabling the tunnel doesn't always work for me. I am using the latest version of pfSense on both ends (2.0.3)

Edit: Even though I'm asking this in the context of pfSense, I've observed this issue with Cisco ASA as well - even when one of the endpoints is a dynamic responder.

Hi. Will you please include a sample of thoe duplicate SAs and SPDs? — skarap, Jun 11 '13 at 04:42
Sure... can you clarify your question? What do you need to see? — tacos_tacos_tacos, Jun 11 '13 at 04:47

score 0 · Answer 1 · answered Jun 11 '13 at 23:15

0

I've upgraded to pfSense 2.1 RC0 and haven't looked back. Whatever was causing the issue (which has existed in both v1 and as late as v2.0.3) is no longer a problem. Though this doesn't really answer my question.

answered Jun 11 '13 at 23:15

tacos_tacos_tacos

3,250
18
63
100

What is the cause of duplicate SA's and SPD's in IPSec L2L VPN?

1 Answers1