Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Sec transport mode –- phase 2 keeps on retrying

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lkpatel
      last edited by

      Hi all,

      I have connected two linux machine back to back and configured ipsec.
      as per following configuration.

      machine A 10.10.10.11
      machine B 10.10.10.10

      for machine A

      remote 10.10.10.10
      {
             exchange_mode  aggressive,main;
             my_identifier address;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key;
                     dh_group 2 ;
             }
      }

      Racoon IKE daemon configuration file.

      See 'man racoon.conf' for a description of the format and entries.

      path include "/etc/racoon";
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";

      log debug;

      timer{
      phase1 10 mins;
      phase2 10 mins;
      }

      sainfo anonymous
      {
             pfs_group 2;
             lifetime time 2 hour ;
             encryption_algorithm 3des, blowfish 448, rijndael ;
             authentication_algorithm hmac_sha1, hmac_md5 ;
             compression_algorithm deflate ;
      }
      include "/etc/racoon/10.10.10.10.conf";

      similarly for other machine B.

      remote 10.10.10.11
      {
             exchange_mode  main,aggressive;
             my_identifier address;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key;
                     dh_group 2 ;
             }
      }

      Racoon IKE daemon configuration file.

      See 'man racoon.conf' for a description of the format and entries.

      path include "/etc/racoon";
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";

      log debug;

      timer {
      phase1 10 mins;
      phase2 10 mins;
      }

      sainfo anonymous
      {
             pfs_group 2;
             lifetime time 2 hour ;
             encryption_algorithm 3des, blowfish 448, rijndael ;
             authentication_algorithm hmac_sha1, hmac_md5 ;
             compression_algorithm deflate ;
      }
      include "/etc/racoon/10.10.10.11.conf";

      after starting ipsec using ifup ipsec0 and pinging

      following logs at machine  A comes in /var/log/message

      Mar 18 16:29:58 aksha09 racoon: INFO: respond new phase 1 negotiation: 10.10.10.11[500]<=>10.10.10.10[500]
      Mar 18 16:29:58 aksha09 racoon: INFO: begin Aggressive mode.
      Mar 18 16:29:58 aksha09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Mar 18 16:29:58 aksha09 racoon: INFO: ISAKMP-SA established 10.10.10.11[500]-10.10.10.10[500] spi:95bd9866f617dd5d:a21cefa72b
      5a842d
      Mar 18 16:29:59 aksha09 racoon: INFO: respond new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
      Mar 18 16:30:00 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
      Mar 18 16:30:01 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]

      as you can see it keeps on trying to initiate new phase 2

      similarly for machine B following log comes

      Mar 18 16:29:58 aksha08 racoon: INFO: IPsec-SA request for 10.10.10.11 queued due to no phase1 found.
      Mar 18 16:29:58 aksha08 racoon: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>10.10.10.11[500]
      Mar 18 16:29:58 aksha08 racoon: INFO: begin Aggressive mode.
      Mar 18 16:29:58 aksha08 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Mar 18 16:29:58 aksha08 racoon: INFO: ISAKMP-SA established 10.10.10.10[500]-10.10.10.11[500] spi:95bd9866f617dd5d:a21cefa72b
      5a842d
      Mar 18 16:29:59 aksha08 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
      Mar 18 16:30:00 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
      Mar 18 16:30:01 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=6958573(0x6a2ded)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=263826528(0xfb9ac60)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=111998067(0x6acf473)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=81856870(0x4e10966)

      i checked all config file but could not find any parameter mismatch.

      what could be the possible reasons.

      with best regards

      lalit patel

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        This is not a support forum for ipsec-tools and racoon on anything except pfSense, which is running FreeBSD (not a Linux variant). The configuration on pfSense is GUI-based, and the users don't directly edit the configuration file.

        You should try posting to a forum or mailing list that is specific to your needs.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.