Bug #16514
closed
IPsec key lifetime in P2 is limited to the lowest configured in all P2
0%
Description
Debugging an issue with duplicate SA we found that one had configured a key lifetime of 3600 while the other had configured 43200.
Despite that, both were setting their key lifetime to 3600. Which resulted in a conflicting configuration with the remote device (fortios 7.4.9).
It is unclear as of now if it sets it to the lifetime of the newest P2 or the lower common value, as testing hypotheses in production was deemed unwise.
Updated by Jim Pingle 1 day ago
- Status changed from New to Not a Bug
Depending on the P1 configuration, the P2 entries get combined into a single child SA with multiple traffic selectors, so they all use the P2 settings from the first (highest in the list) P2. This is normal/expected.
If you must use different options for each P2, you can set "Split Connections" which will configure them individually.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#advanced-options