Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Racoon: ERROR: not acceptable Identity Protection mode

    IPsec
    2
    4
    11.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stewie
      last edited by

      Hi.

      I'm trying an simple site-2-site Ipsec-PSK setup. On both sites i am running pfsense 1.2.3rc1.
      The initiating site has a dynamic ip and the other site has an static ip.
      I followed many tutorials, but i dont get it running.
      On the server site phase 1 always brings up following error:
      racoon: ERROR: not acceptable Identity Protection mode
      I already tried different identifiers and algs. The search results didn't helped me.

      Has anyone a hint for me? Where can i find the racoon config file?

      cheers

      stewie

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You have a config mismatch of some sort, sounds like aggressive on one end and main on the other.

        1 Reply Last reply Reply Quote 0
        • S
          stewie
          last edited by

          Hi cmb.

          This is the first thing i thougt, when I saw the message, but I checked both sites and changed it from aggressive to main for test.
          Perhaps i did something else wrong. I'll describe I am doing .

          On the static site:
          1. VPN - Ipsec - Tunnels - Enable Ipsec - save
          2. VPN - Ipsec - Mobile Clients

          • Allow mobile clients
            -> Phase 1
          • Negotiation mode: aggressive
          • My identifier: MyIP
          • Blowfish/SHA/DH2/DPD120/Lifetime:3600/PSK
            -> Phase 2
          • ESP/Blowfish/SHA/DH2/DPD120/Lifetime:3600/PSK
            3. VPN - Ipsec - pre-shared Keys
          • Identifier: remote@remote.loc
          • Pre-shared key: veryverysecure

          On the dynamic site:
          1. VPN - Ipsec - Tunnels

          • Enable Ipsec - save
            -> Add tunnel
          • Interface: WAN
          • Local subnet: LAN subnet
          • Remote subnet: [IP of remote LAN subnet] with mask
          • Remote Gateway: [public IP of static site]
            Phase 1
          • Negotiation mode: aggressive
          • My identifier: User FQDN -> remote@remote.loc
          • Blowfish/SHA/DH2/Lifetime:3600
          • Authentication method: Pre-shared Key
            Phase 2:
          • ESP/Blowfish/SHA/DH2/Lifetime:3600

          This is all. I know I have to setup a ruleset when SA is established.
          But this is not yet.

          rgds

          Stewie

          1 Reply Last reply Reply Quote 0
          • S
            stewie
            last edited by

            Hi.

            I was able to establish SA. the pfsensedocs tutorial is not working for me.
            This one: http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/
            I did a static2static setup with an additional tunnel on the static site and a psk record on the dynamic site (identifier == pubIP of static site). I hope I dont get problems with the dyndns adress of the dynamic site.
            Has anyone a dynamic2static ipsec setup running?
            I always want the dynamic site to initiate the SA to the static site.

            Cheers

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.