4. IP Sec transport mode –- phase 2 keeps on retrying

IP Sec transport mode –- phase 2 keeps on retrying

  • L

    Hi all,

    I have connected two linux machine back to back and configured ipsec.
    as per following configuration.

    machine A 10.10.10.11
    machine B 10.10.10.10

    for machine A

    remote 10.10.10.10
    {
           exchange_mode  aggressive,main;
           my_identifier address;
           proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2 ;
           }
    }

    Racoon IKE daemon configuration file.

    See 'man racoon.conf' for a description of the format and entries.

    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";

    log debug;

    timer{
    phase1 10 mins;
    phase2 10 mins;
    }

    sainfo anonymous
    {
           pfs_group 2;
           lifetime time 2 hour ;
           encryption_algorithm 3des, blowfish 448, rijndael ;
           authentication_algorithm hmac_sha1, hmac_md5 ;
           compression_algorithm deflate ;
    }
    include "/etc/racoon/10.10.10.10.conf";

    similarly for other machine B.

    remote 10.10.10.11
    {
           exchange_mode  main,aggressive;
           my_identifier address;
           proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2 ;
           }
    }

    Racoon IKE daemon configuration file.

    See 'man racoon.conf' for a description of the format and entries.

    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";

    log debug;

    timer {
    phase1 10 mins;
    phase2 10 mins;
    }

    sainfo anonymous
    {
           pfs_group 2;
           lifetime time 2 hour ;
           encryption_algorithm 3des, blowfish 448, rijndael ;
           authentication_algorithm hmac_sha1, hmac_md5 ;
           compression_algorithm deflate ;
    }
    include "/etc/racoon/10.10.10.11.conf";

    after starting ipsec using ifup ipsec0 and pinging

    following logs at machine  A comes in /var/log/message

    Mar 18 16:29:58 aksha09 racoon: INFO: respond new phase 1 negotiation: 10.10.10.11[500]<=>10.10.10.10[500]
    Mar 18 16:29:58 aksha09 racoon: INFO: begin Aggressive mode.
    Mar 18 16:29:58 aksha09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Mar 18 16:29:58 aksha09 racoon: INFO: ISAKMP-SA established 10.10.10.11[500]-10.10.10.10[500] spi:95bd9866f617dd5d:a21cefa72b
    5a842d
    Mar 18 16:29:59 aksha09 racoon: INFO: respond new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
    Mar 18 16:30:00 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
    Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
    Mar 18 16:30:01 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]

    as you can see it keeps on trying to initiate new phase 2

    similarly for machine B following log comes

    Mar 18 16:29:58 aksha08 racoon: INFO: IPsec-SA request for 10.10.10.11 queued due to no phase1 found.
    Mar 18 16:29:58 aksha08 racoon: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>10.10.10.11[500]
    Mar 18 16:29:58 aksha08 racoon: INFO: begin Aggressive mode.
    Mar 18 16:29:58 aksha08 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Mar 18 16:29:58 aksha08 racoon: INFO: ISAKMP-SA established 10.10.10.10[500]-10.10.10.11[500] spi:95bd9866f617dd5d:a21cefa72b
    5a842d
    Mar 18 16:29:59 aksha08 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
    Mar 18 16:30:00 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
    Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
    Mar 18 16:30:01 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=6958573(0x6a2ded)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=263826528(0xfb9ac60)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=111998067(0x6acf473)
    Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=81856870(0x4e10966)

    i checked all config file but could not find any parameter mismatch.

    what could be the possible reasons.

    with best regards

    lalit patel

    0
  • Rebel Alliance Developer Netgate

    This is not a support forum for ipsec-tools and racoon on anything except pfSense, which is running FreeBSD (not a Linux variant). The configuration on pfSense is GUI-based, and the users don't directly edit the configuration file.

    You should try posting to a forum or mailing list that is specific to your needs.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy