0

I'm experiencing an issue with pfSense where duplicate SAD's are getting created after rekeying, forcing me to manually go ahead and delete the old SAD's. It's not a huge issue but it does get to be a problem once I let it go for a few days. I just installed the cron package for pfSense so I could run a script to identify stale SAD's and delete them but I am not that familiar with BSD or pfSense. Is there a command that enumerates SAD's and their properties, and another that can delete by ID? I can form the conditional parts of the script but I do not know the commands to run. I would imagine it would be something like:

  1. Enumerate SAD's
  2. Identify Duplicate ones by matching Source and destination IP's
  3. Find the one with the larger bytes transferred
  4. Delete
tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97

1 Answers1

1

You have a problem there that should be fixed, rather than creating a work around to the actual problem. From the sounds of it, you have mismatched lifetimes, and aren't using DPD (or maybe are on a version pre-2.0 where DPD in ipsec-tools didn't work). First fix your lifetimes, and then enable DPD on both sides if possible.

Chris Buechler
  • 2,938
  • 14
  • 18