Racoon: ERROR: not acceptable Identity Protection mode

  • Hi.

    I'm trying an simple site-2-site Ipsec-PSK setup. On both sites i am running pfsense 1.2.3rc1.
    The initiating site has a dynamic ip and the other site has an static ip.
    I followed many tutorials, but i dont get it running.
    On the server site phase 1 always brings up following error:
    racoon: ERROR: not acceptable Identity Protection mode
    I already tried different identifiers and algs. The search results didn't helped me.

    Has anyone a hint for me? Where can i find the racoon config file?



  • You have a config mismatch of some sort, sounds like aggressive on one end and main on the other.

  • Hi cmb.

    This is the first thing i thougt, when I saw the message, but I checked both sites and changed it from aggressive to main for test.
    Perhaps i did something else wrong. I'll describe I am doing .

    On the static site:
    1. VPN - Ipsec - Tunnels - Enable Ipsec - save
    2. VPN - Ipsec - Mobile Clients

    • Allow mobile clients
      -> Phase 1
    • Negotiation mode: aggressive
    • My identifier: MyIP
    • Blowfish/SHA/DH2/DPD120/Lifetime:3600/PSK
      -> Phase 2
    • ESP/Blowfish/SHA/DH2/DPD120/Lifetime:3600/PSK
      3. VPN - Ipsec - pre-shared Keys
    • Identifier: remote@remote.loc
    • Pre-shared key: veryverysecure

    On the dynamic site:
    1. VPN - Ipsec - Tunnels

    • Enable Ipsec - save
      -> Add tunnel
    • Interface: WAN
    • Local subnet: LAN subnet
    • Remote subnet: [IP of remote LAN subnet] with mask
    • Remote Gateway: [public IP of static site]
      Phase 1
    • Negotiation mode: aggressive
    • My identifier: User FQDN -> remote@remote.loc
    • Blowfish/SHA/DH2/Lifetime:3600
    • Authentication method: Pre-shared Key
      Phase 2:
    • ESP/Blowfish/SHA/DH2/Lifetime:3600

    This is all. I know I have to setup a ruleset when SA is established.
    But this is not yet.



  • Hi.

    I was able to establish SA. the pfsensedocs tutorial is not working for me.
    This one: http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/
    I did a static2static setup with an additional tunnel on the static site and a psk record on the dynamic site (identifier == pubIP of static site). I hope I dont get problems with the dyndns adress of the dynamic site.
    Has anyone a dynamic2static ipsec setup running?
    I always want the dynamic site to initiate the SA to the static site.


Log in to reply