This article provides information about the /kernel: IPv6 ESP input: no key association found for spi xxxxxx syslog message and on how to avoid this message:
% grep -i IPv6 messages Dec 28 10:35:35.907 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3715243453 Dec 28 10:40:28.980 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3952502221 Dec 28 10:42:56.918 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 135647907 Dec 28 10:44:21.797 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3510960257 Dec 28 10:47:52.994 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 844099669 Dec 28 10:50:20.871 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 3317616808 Dec 28 10:52:48.926 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 648115457 Dec 28 10:55:17.066 Jam-re0 /kernel: IPv6 ESP input: no key association found for spi 1091746910
This kernel message means that the remote IPsec peer still believes that an outstanding Security Association(SA) is defined and it is sending encrypted packets that the router does not understand. When a router receives a ESP encrpted packet from the peer and it does not have any proper SA corresponding to SPI <spi> that is specified by the ESP header, you will see this message.
A SA device is the establishment of shared security attributes on the IPsec connection to support secure communication and it includes attributes, such as SPI, protocol (AH/ESP), mode (Tunnel/Transport), encryption (DES/3DES/AES), authentications, auth-key, sequence counter, DSCP, Path MTU, IP address on tunnel end points, and SA lifetime. If these attributes are changes, when the IPsec tunnel is up, and some attributes in the ESP header of incoming encrypted packets are not found in the established SA, you will probably see the message.
When this message is generated, the packets are dropped; even though the IPsec tunnel is up. The IPsec tunnel will remain established, until the tunnel session expires.
This behavior is not a bug.
This issue will be triggered by a configuration change of the IPsec tunnel attributes, when the tunnel is up. As a workaround, avoid configuration changes, when the tunnel is in use, and do not de-activate the relevant configuration.
You should de-activate the specific IPsec tunnel on both of the routers, before changing these attributes, and then activate the tunnel. After this is done, the IPv6 ESP input: no key association spi xxxxxx syslog message will no longer be generated.