IP Sec transport mode –- phase 2 keeps on retrying



  • Hi all,

    I have connected two linux machine back to back and configured ipsec.
    as per following configuration.

    machine A 10.10.10.11
    machine B 10.10.10.10

    for machine A

    remote 10.10.10.10
    {
           exchange_mode  aggressive,main;
           my_identifier address;
           proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2 ;
           }
    }

    Racoon IKE daemon configuration file.

    See 'man racoon.conf' for a description of the format and entries.

    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";

    log debug;

    timer{
    phase1 10 mins;
    phase2 10 mins;
    }

    sainfo anonymous
    {
           pfs_group 2;
           lifetime time 2 hour ;
           encryption_algorithm 3des, blowfish 448, rijndael ;
           authentication_algorithm hmac_sha1, hmac_md5 ;
           compression_algorithm deflate ;
    }
    include "/etc/racoon/10.10.10.10.conf";

    similarly for other machine B.

    remote 10.10.10.11
    {
           exchange_mode  main,aggressive;
           my_identifier address;
           proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2 ;
           }
    }

    Racoon IKE daemon configuration file.

    See 'man racoon.conf' for a description of the format and entries.

    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";

    log debug;

    timer {
    phase1 10 mins;
    phase2 10 mins;
    }

    sainfo anonymous
    {
           pfs_group 2;
           lifetime time 2 hour ;
           encryption_algorithm 3des, blowfish 448, rijndael ;
           authentication_algorithm hmac_sha1, hmac_md5 ;
           compression_algorithm deflate ;
    }
    include "/etc/racoon/10.10.10.11.conf";

    after starting ipsec using ifup ipsec0 and pinging

    following logs at machine  A comes in /var/log/message

    Mar 18 16:29:58 aksha09 racoon: INFO: respond new phase 1 negotiation: 10.10.10.11[500]<=>10.10.10.10[500]
    Mar 18 16:29:58 aksha09 racoon: INFO: begin Aggressive mode.
    Mar 18 16:29:58 aksha09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Mar 18 16:29:58 aksha09 racoon: INFO: ISAKMP-SA established 10.10.10.11[500]-10.10.10.10[500] spi:95bd9866f617dd5d:a21cefa72b
    5a842d
    Mar 18 16:29:59 aksha09 racoon: INFO: respond new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
    Mar 18 16:30:00 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
    Mar 18 16:30:01 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]

    as you can see it keeps on trying to initiate new phase 2

    similarly for machine B following log comes

    Mar 18 16:29:58 aksha08 racoon: INFO: IPsec-SA request for 10.10.10.11 queued due to no phase1 found.
    Mar 18 16:29:58 aksha08 racoon: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>10.10.10.11[500]
    Mar 18 16:29:58 aksha08 racoon: INFO: begin Aggressive mode.
    Mar 18 16:29:58 aksha08 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Mar 18 16:29:58 aksha08 racoon: INFO: ISAKMP-SA established 10.10.10.10[500]-10.10.10.11[500] spi:95bd9866f617dd5d:a21cefa72b
    5a842d
    Mar 18 16:29:59 aksha08 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
    Mar 18 16:30:00 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
    Mar 18 16:30:01 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=6958573(0x6a2ded)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=263826528(0xfb9ac60)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=111998067(0x6acf473)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=81856870(0x4e10966)

    i checked all config file but could not find any parameter mismatch.

    what could be the possible reasons.

    with best regards

    lalit patel


  • Rebel Alliance Developer Netgate

    This is not a support forum for ipsec-tools and racoon on anything except pfSense, which is running FreeBSD (not a Linux variant). The configuration on pfSense is GUI-based, and the users don't directly edit the configuration file.

    You should try posting to a forum or mailing list that is specific to your needs.


Log in to reply