When multiple IPsec SA's share the same IKE SA and a rekey events take place, not all state is properly transferred to the new connection. That can lead to multiple IKE SA's. Some devices, such as Cisco, will not allow this and return INVALID_IKE_SPI and delete all their IKE SA's
This sounds like it should not be hard to reproduce - with two IPSEC SA sharing a single IKE SA when rekeying happens what should I expect? Just a single IKE SA, right?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.