diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index eda4c999a..a7b5607c2 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1142,6 +1142,9 @@ function ipsec_configure_do($verbose = false, $interface = '')
         if (isset($a_client['enable']) && isset($a_client['net_list'])) {
             $strongswanTree['charon']['cisco_unity'] = 'yes';
         }
+        if (!empty($config['ipsec']['max_ikev1_exchanges'])) {
+            $strongswanTree['charon']['max_ikev1_exchanges'] = $config['ipsec']['max_ikev1_exchanges'];
+        }
 
         // Debugging configuration
         // lkey is the log key, which is a three-letter abbreviation of the subsystem to log, e.g. `ike`.
diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php
index 9893813d5..4f96b19c7 100644
--- a/src/www/vpn_ipsec_settings.php
+++ b/src/www/vpn_ipsec_settings.php
@@ -40,6 +40,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
     $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
     $pconfig['auto_routes_disable'] = isset($config['ipsec']['auto_routes_disable']);
+    $pconfig['max_ikev1_exchanges'] = !empty($config['ipsec']['max_ikev1_exchanges']) ? $config['ipsec']['max_ikev1_exchanges'] : null;
     if (!empty($config['ipsec']['passthrough_networks'])) {
         $pconfig['passthrough_networks'] = explode(',', $config['ipsec']['passthrough_networks']);
     } else {
@@ -66,6 +67,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['passthrough_networks'] = array();
     }
 
+    if (!empty($pconfig['max_ikev1_exchanges']) && (
+        (int)$pconfig['max_ikev1_exchanges'] != $pconfig['max_ikev1_exchanges'] ||
+        (int)$pconfig['max_ikev1_exchanges'] < 0
+    )) {
+        $input_errors[] = gettext('Maximum IKEv1 phase 2 exchanges should be a positive integer number.');
+    }
+
     // save form data
     if (count($input_errors) == 0) {
         if (!empty($pconfig['disablevpnrules'])) {
@@ -101,6 +109,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['ipsec']['auto_routes_disable']);
         }
 
+        if (!empty($pconfig['max_ikev1_exchanges'])) {
+            $config['ipsec']['max_ikev1_exchanges'] = $pconfig['max_ikev1_exchanges'];
+        } elseif (isset($config['ipsec']['max_ikev1_exchanges'])) {
+            unset($config['ipsec']['max_ikev1_exchanges']);
+        }
+
         write_config();
         $savemsg = get_std_save_message();
         filter_configure();
@@ -201,6 +215,18 @@ if (isset($input_errors) && count($input_errors) > 0) {
                         </div>
                       </td>
                     </tr>
+                    <tr>
+                      <td><a id="help_for_max_ikev1_exchanges" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum IKEv1 phase 2 exchanges"); ?></td>
+                      <td style="width:78%" class="vtable">
+                        <input name="max_ikev1_exchanges" type="text" id="max_ikev1_exchanges" value="<?=$pconfig['max_ikev1_exchanges'];?>" />
+                        <div class="hidden" data-for="help_for_max_ikev1_exchanges">
+                            <?=gettext(
+                              "Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and track concurrently. ".
+                              "When using multiple phase 2 definitions a higher value than the default (3) would be advisable to prevent re-keying issues."
+                            ); ?>
+                        </div>
+                      </td>
+                    </tr>
                     <tr>
                       <td><a id="help_for_ipsec_debug" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Debug"); ?></td>
                       <td>