To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.

To be able to manage this first upgrade the config to assign each phase2 an reqid
Second use that during config generation

Ticket #4208

conf.default/config.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <pfsense>
-	<version>11.5</version>
+	<version>11.6</version>
 	<lastchange/>
 	<theme>pfsense_ng</theme>
 	<system>

etc/inc/ipsec.inc

@@ -671,4 +671,27 @@ function ipsec_fixup_network($network) {
 	return $result;
 }
 
+function ipsec_new_reqid() {
+	global $config;
+
+	if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2']))
+		return;
+
+	$ipsecreqid = lock('ipsecreqids', LOCK_EX);
+	$keyids = array();
+	$keyid = 1;
+	foreach ($config['ipsec']['phase2'] as $ph2)
+		$keyids[$ph2['reqid']] = $ph2['reqid'];
+
+	for ($i = 1; $i < 16000; $i++) {
+		if (!isset($keyids[$i])) {
+			$keyid = $i;
+			break;
+		}
+	}
+	unlock($ipsecreqid);
+
+	return $keyid;
+}
+
 ?>

etc/inc/upgrade_config.inc

@@ -3539,4 +3539,17 @@ function upgrade_114_to_115() {
 		$config['unbound']['custom_options'] = base64_encode($config['unbound']['custom_options']);
 }
 
+function upgrade_115_to_116() {
+	global $config;
+
+	if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2']))
+                return;
+
+        $keyid = 1;
+        foreach ($config['ipsec']['phase2'] as $idx => $ph2) {
+                $config['ipsec']['phase2'][$idx]['reqid'] = $keyid;
+		$keyid++;
+	}
+}
+
 ?>

etc/inc/vpn.inc

@@ -668,6 +668,7 @@ EOD;
 			$ipseclifetime = 0;
 			$rightsubnet_spec = array();
 			$leftsubnet_spec = array();
+			$reqids = array();
 			$ealgoAHsp2arr = array();
 			$ealgoESPsp2arr = array();
 		if (is_array($a_phase2) && count($a_phase2)) {
@@ -807,6 +808,7 @@ EOD;
 					}
 				}
 
+				$reqids[] = $ph2ent['reqid'];
 
 				if (!empty($ph2ent['lifetime'])) {
 					if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
@@ -860,6 +862,7 @@ EOD;
 					$ipsecfin = '';
 					foreach ($rightsubnet_spec as $idx => $rsubnet) {
 						$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
+						$ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
 						$ipsecfin .= $ipsecconnect;
 						$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
 						$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
@@ -868,6 +871,7 @@ EOD;
 					log_error("No phase2 specifications for tunnel with REQID = {$ikeid}");
 			} else {
 				$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
+				$ipsecfin .= "\treqid = " . $reqids[0] . "\n";
 				$ipsecfin .= $ipsecconnect;
 				if (!empty($rightsubnet_spec)) {
 					$tempsubnets = array();

usr/local/www/vpn_ipsec_phase2.php

@@ -93,6 +93,7 @@ if ($ph2found === true)
 	$pconfig['pfsgroup'] = $ph2['pfsgroup'];
 	$pconfig['lifetime'] = $ph2['lifetime'];
 	$pconfig['pinghost'] = $ph2['pinghost'];
+	$pconfig['reqid'] = $ph2['reqid'];
 
 	if (isset($ph2['mobile']))
 		$pconfig['mobile'] = true;
@@ -320,6 +321,10 @@ if ($_POST) {
 		$ph2ent['uniqid'] = $pconfig['uniqid'];
 		$ph2ent['mode'] = $pconfig['mode'];
 		$ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
+		if (!isset($pconfig['reqid']))
+			$ph2ent['reqid'] = ipsec_new_reqid();
+		else
+			$ph2ent['reqid'] = $pconfig['reqid'];
 
 		if(($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")){
 			if (!empty($pconfig['natlocalid_address']))
@@ -832,6 +837,9 @@ function change_protocol() {
 						<?php endif; ?>
 							<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" />
 							<input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" />
+						<?php if (!empty($pconfig['reqid'])): ?>
+							<input name="reqid" type="hidden" value="<?=htmlspecialchars($pconfig['reqid']);?>" />
+						<?php endif; ?>
 							<input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" />
 						</td>
 					</tr>