Bug #9331

Parallel Rekey fails for multiple Child SAs

Added by Markus Stockhausen about 2 years ago. Updated 6 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:
Release Notes:


We are running a IKEv1 VPN connection towards a Watchguard firewall cluster. It has 10 Tunnel definitions. Whenever the Watchguard cluster fails over several tunnels stop working. Our analysis shows that the failover issues all phase 2 rekeys at the same time. The pfsense strongSwan daemon fails during this process with the following message:

Jan 11 18:07:24 firewall charon: 11[NET] <con1000|6> received packet: from to yyy.yyy.yyy.yyy500 (68 bytes)
Jan 11 18:07:24 firewall charon: 11[ENC] <con1000|6> invalid HASH_V1 payload length, decryption failed?
Jan 11 18:07:24 firewall charon: 11[ENC] <con1000|6> could not decrypt payloads

In the forum this issue is mentioned in this post

It all boils down that strongSwan only allows 3 rekeys at the same time because of parameter max_ikev1_exchanges. As we cannot control any foreign firewall behaviour pfSense should allow for all rekeys to complete. Independant of the number of tunnel interfaces. Sophos already has implemented a workaround for this. See

I would expect a two stage solution for this problem in pfSense.

1 Simple: Add parameter to /etc/inc/ in charon section and increase maximum number of outstanding Rekeys.

charon {
        max_ikev1_exchanges = 22

Although 22 is only an arbitrary value it might make sense because 12 tunnels (as in our case) should be not very common.

2 Sustained: Add warning in web interface if number of tunnels for IKEv1 VPN reach 20. So we have 2 slots safety.

Associated revisions

Revision 4a879d79 (diff)
Added by Viktor Gurov 7 months ago

Add option to increase parallel IKEv1 Phase 2 rekeys. Issue #9331


#2 Updated by Markus Stockhausen about 2 years ago

Thanks for the feedback about the pull request. I deleted the old one and added the sustained solution.

#3 Updated by Jim Pingle about 2 years ago

  • Target version changed from 48 to 2.5.0

#4 Updated by Jim Pingle over 1 year ago

  • Category changed from VPN (Multiple Types) to IPsec

#5 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Pull Request Review

#7 Updated by Renato Botelho 7 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#8 Updated by Steve Beaver 6 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF