One stubborn IPSEC Tunnel

fastcon68

I have IPSEC tunnel that will not come up.  I am getting the following error message:

Jun 9 22:58:18 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Jun 9 22:58:08 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.

I do not have a SAD or SPD for this connection,

Jun 9 23:01:33 racoon: [TNIC - New Bern Location ]: ERROR: pfkey DELETE received: ESP 208.xx.xx.204[0]->67.xx.xx.16[0] spi=192852376(0xb7eb198)
Jun 9 23:01:33 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 9 23:01:26 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500]
Jun 9 23:00:15 racoon: [TNIC - New Bern Location ]: ERROR: 67.76.142.16 give up to get IPsec-SA due to time up to wait.
Jun 9 22:59:45 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.x.xx.204[500]<=>67.xx.xx.16[500]
Jun 9 22:59:31 racoon: [TNIC - New Bern Location ]: ERROR: 67.76.142.16 give up to get IPsec-SA due to time up to wait.
Jun 9 22:59:01 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500]
Jun 9 22:58:38 racoon: [TNIC - New Bern Location ]: ERROR: 67.xx.xx.16 give up to get IPsec-SA due to time up to wait.
Jun 9 22:58:18 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Jun 9 22:58:08 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Jun 9 22:58:08 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500]
Jun 9 22:58:07 racoon: [TNIC - New Bern Location ]: INFO: ISAKMP-SA established 208.xx.xx.204[500]-67.xx.xx.16[500] spi:2378faabb929edd1:948837c0e6833ca3
Jun 9 22:58:07 racoon: INFO: begin Identity Protection mode.
Jun 9 22:58:07 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 1 negotiation: 208.xx.xx.204[500]<=>67.xx.xxx.16[500]

Any idea my this one connection is not working?
RC

jimp

Looks like they can't agree on a proposal. Are you sure you have the same encryption and hash types set on both ends of the tunnel?

Double check everything in the Phase 2 section on both sides.

fastcon68

It was working but it just quit working.  I was doing some work on the firewall when it quit.  Do you think that just recreating it would solve the problem.
RC

jimp

If a tunnel just quits, it is likely that it lost contact with the other side. Usually going to Status > Services and restarting racoon is enough to make it start again.

If that fixes it, it may be related to an issue we've been trying to solve in the 1.2.3-RC snapshots with Dead Peer Detection.

fastcon68

that's most likely it.  When he restarts his firewall it will come up but then drops  few days later.  I hope you all will figure it out soon.
RC