



Bug #4188


IPSec SA requestid has limited range in FreeBSD

Added by Ermal Luçi about 10 years ago. Updated about 10 years ago.

Very High
Ermal Luçi
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


FreeBSD allows up to ~16000 range of reqid on the SAs specified manually.
There are problems with the IPsec SA tracking of strongswan since pfSense specifies manually them to be able to track the various tunnels in the status page.
This becomes a problem since for requests with multiple phase2 the reqid is multiplied by 1000 to be able to track things.

Either the kernel should be patched to increase the range or there should be found another way to track the tunnel status.

Actions #1

Updated by Ermal Luçi about 10 years ago

  • Priority changed from Normal to Very High
Actions #2

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Confirmed
Actions #3

Updated by Ermal Luçi about 10 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Ermal Luçi about 10 years ago

Actions #5

Updated by Chris Buechler about 10 years ago

  • Status changed from Feedback to Resolved

confirmed the new snapshot with this fix fixes the circumstances where we were seeing this.

Actions #6

Updated by Ermal Luçi about 10 years ago

Just need to check if the IKEv1 tunnels with many phase2 are still usable with pfSense to some other product Chris.

Can you make sure of that as well please?

Actions #7

Updated by Pi Ba about 10 years ago

This broke again.. it really needs different reqid's for each P1 if unity is not supported by the remote device.. maybe not include the '00' in there, but make it unique in another way?

Actions #8

Updated by Chris Buechler about 10 years ago

  • Status changed from Resolved to Confirmed

yeah this did break that scenario

Actions #9

Updated by Chris Buechler about 10 years ago

  • Status changed from Confirmed to Resolved

fixed again


Also available in: Atom PDF