Bug #6263

Encryption options for every P2 on a given P1 are written to each P2 individually inside ipsec.conf with multiple P2 entries + split conn entries

Added by Jim Pingle over 1 year ago. Updated 10 days ago.

Target version:
Start date:
Due date:
% Done:


Affected version:
Affected Architecture:


When multiple Phase 2 entries exist, the encryption options for every P2 inside a given P1 are added to every split connection entries (IKEv1 or IKEv2 with split connections active)

For example, with three P2 entries all set for AES256-GCM-128, ipsec.conf has this in each conn entry:

    esp = aes256gcm128,aes256gcm128,aes256gcm128!

The same identical option is written on each connection.

If different options are used for P2s within the same tunnel, all of them are written to each P2. So each split conn entry contains all possible P2 algorithms for any P2 on the P1, not just the selected algorithm for that specific P2 entry.


#1 Updated by Chris Buechler over 1 year ago

  • Target version changed from 2.3.1 to 2.3.2
  • Affected version changed from 2.3 to All

always been that way (well, w/strongswan, >=2.2.0). Doesn't hurt anything, not worth risking at this stage for 2.3.1.

#2 Updated by Chris Buechler about 1 year ago

  • Target version changed from 2.3.2 to 2.4.0

#3 Updated by si lec 12 months ago

might be always been that way but this is very painful... all other brand do support this properly.
I just start using pfSense and this bug cause me quite a lot of trouble. You really need to fix this

#4 Updated by Jim Thompson 9 months ago

  • Assignee set to Matthew Smith

#5 Updated by Jim Thompson about 1 month ago

  • Assignee changed from Matthew Smith to Renato Botelho

#6 Updated by Cullen Trey 30 days ago


we had problems with one of our IPSecs. Sometimes it can connect, sometimes not. After a reboot of pfsense, pfsense can mostly connect.

When I read about this bug, I disabled all P2 entries except one. Now it always works...

Could it really be, that the entry with the same encryption multiple times (esp = aes256gcm128,aes256gcm128,aes256gcm128!) is making problems with the remote site? In our setup, only we establish the ipsec connection.

We be greate to see this fixed, as it can not do anything good.

thanks for your work!

#7 Updated by Renato Botelho 10 days ago

  • Target version changed from 2.4.0 to 2.4.1

Also available in: Atom PDF