Multi Phase 2 connections with IPSec Site 2 Site

cloudix · ‎07-17-2025

ive got a problem i cant seem to figure out. When my Ipsec tunnel is built it makes a new phase 2 connection every 60 seconds.

1.1.1.1 = Cisco Router

2.2.2.2 PfSense Router

----- Connection configuration -----

1.1.1.1 => Internet <= 2.2.2.2

---------------------------------

Here is a screenshot on the Pfsense end.

and Here is the config on the Cisco router.

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!

ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 10.10.30.1 10.10.30.10
!
ip dhcp pool default
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.4.4
lease 0 1
!
ip dhcp pool Vlan_10
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server 8.8.8.8
lease 0 1
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FLM2429002E
license accept end user agreement
license boot level appxk9
license boot level securityk9
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 XXXXX
!
redundancy
mode none
!
crypto ikev2 proposal Nash-Ikev2-Proposal
encryption aes-gcm-128
prf sha256
group 2
!
crypto ikev2 policy Nash-Ikev2-Policy
match address local 1.1.1.1
proposal Nash-Ikev2-Proposal
!
crypto ikev2 keyring Cross2Nash-keyring
peer my.domain.com
description "Nashville Connection"
address 0.0.0.0 0.0.0.0
identity fqdn my.domain.com
pre-shared-key XXXXXXX
!
!
!
crypto ikev2 profile Nash-Ikev2-Profile
match address local 1.1.1.1
match identity remote fqdn my.domain.com
authentication remote pre-share
authentication local pre-share
keyring local Cross2Nash-keyring
lifetime 28800
dpd 10 5 on-demand
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set Nash-TransformSet esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile Nash-IPsecProfile
set transform-set Nash-TransformSet
set pfs group14
set ikev2-profile Nash-Ikev2-Profile
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel11
ip address 10.10.40.1 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile Nash-IPsecProfile
!
interface GigabitEthernet0/0/0
description Connected to Port 1 on Switch
no ip address
negotiation auto
no mop enabled
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2 native
ip address 10.10.20.1 255.255.255.0
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 10.10.30.1 255.255.255.0
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
!
ip nat inside source list Nat-Service interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 192.168.5.0 255.255.255.0 Tunnel11
ip ssh rsa keypair-name SSH-Key
ip ssh version 2
ip ssh dscp 16
!
!
ip access-list extended IpSec_Tunnel
permit ip 10.10.20.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 192.168.128.0 0.0.0.255
remark -= End of Vlan 2 =-
permit ip 10.10.30.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 192.168.128.0 0.0.0.255
remark -= End of Vlan 10 =-
permit esp host 2.2.2.2 host 1.1.1.1
permit udp host 2.2.2.2 eq isakmp host 1.1.1.1
permit udp host 2.2.2.2 eq non500-isakmp host 1.1.1.1
ip access-list extended Nat-Service
remark "-=[Define NAT Service]=-"
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
!
logging trap warnings
!
!
!
control-plane
!
!
!
end

Any help with this would be awesome.

MHM Cisco World · ‎07-17-2025

show crypto isakmp sa <<- share this

MHM

cloudix · ‎07-17-2025

Nothing for isakmp, so i also included ipsec

#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

#sh crypto ipsec sa

interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xC05AE021(3227181089)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x7358E8DB(1935206619)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: ESG:8, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3551)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC05AE021(3227181089)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: ESG:7, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3551)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

cloudix · ‎07-17-2025

Here it is after a few min's of running.

sh crypto ipsec sa

interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xC79D41DF(3348971999)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0x7358E8DB(1935206619)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: ESG:8, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3219)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xD0CE84DD(3503195357)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: ESG:10, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3280)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x89570807(2304182279)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: ESG:12, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3340)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x4EED1567(1324160359)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2014, flow_id: ESG:14, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7D189F3B(2098765627)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: ESG:16, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3461)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xA2C76783(2730977155)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2018, flow_id: ESG:18, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xBBB929E6(3149474278)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2020, flow_id: ESG:20, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC05AE021(3227181089)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: ESG:7, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3219)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC784E0ED(3347374317)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: ESG:9, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3280)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC916DD84(3373718916)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: ESG:11, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3340)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xCD52A917(3444746519)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2013, flow_id: ESG:13, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3401)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC4CB9992(3301677458)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: ESG:15, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3461)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xCDD8ECF9(3453545721)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2017, flow_id: ESG:17, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC79D41DF(3348971999)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: ESG:19, sibling_flags FFFFFFFF80000048, crypto map: Tunnel11-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

MHM Cisco World · ‎07-17-2025

Sorry it ikev2

Show crypto ikev2 sa

Show crypto sa

MHM

cloudix · ‎07-17-2025

Show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 2.2.2.2/500 none/none READY
Encr: AES-GCM, keysize: 128, PRF: SHA256, Hash: None, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/12130 sec

IPv6 Crypto IKEv2 SA

Show crypto sa is not an option.

MHM Cisco World · ‎07-17-2025

This good there is no issue

cloudix · ‎07-17-2025

Then why does it create a new phase 2 connection every 60 seconds?

MHM Cisco World · ‎07-17-2025

Ok' you use route based VPN which must show in crypto ipsec sa local and remote proxy 0.0.0.0

But I see subnet which point that one peer use policy based VPN that wrong.

Check remote peer config

Your is correct

MHM

cloudix · ‎07-17-2025

where do you see that one is policy based and one is route based?

MHM Cisco World · ‎07-17-2025

local ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

cloudix · ‎07-18-2025

If I wanted to change this end to policy based, could you show me what that config would look like?

MHM Cisco World · ‎07-18-2025

Step 1

Shut down tunnel

Step 2

Remove ipsec profile

Add

Crypto map <map name> ipsex-isakmp

set transform-set Nash-TransformSet
set pfs group14
set ikev2-profile Nash-Ikev2-Profile

Match access <name of acl> <<-you need to add also acl from your local LAN to remote LAN

Step 3

Apply crypto map under interface connect to remote peer

MHM

cloudix · ‎07-21-2025

when trying the command Crypto map <map name> ipsec-isakmp it does not have ipsec-isakmp as an option. here are my options.

#Crypto map Cmap_Nash ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map

MHM Cisco World · ‎07-21-2025

Crypto map <map name><seq> ipses-isakmp

Make seq number 10

MHM