IP Sec transport mode –- phase 2 keeps on retrying

lkpatel

Hi all,

I have connected two linux machine back to back and configured ipsec.
as per following configuration.

machine A 10.10.10.11
machine B 10.10.10.10

for machine A

remote 10.10.10.10
{
       exchange_mode  aggressive,main;
       my_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2 ;
       }
}

Racoon IKE daemon configuration file.

See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log debug;

timer{
phase1 10 mins;
phase2 10 mins;
}

sainfo anonymous
{
       pfs_group 2;
       lifetime time 2 hour ;
       encryption_algorithm 3des, blowfish 448, rijndael ;
       authentication_algorithm hmac_sha1, hmac_md5 ;
       compression_algorithm deflate ;
}
include "/etc/racoon/10.10.10.10.conf";

similarly for other machine B.

remote 10.10.10.11
{
       exchange_mode  main,aggressive;
       my_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2 ;
       }
}

Racoon IKE daemon configuration file.

See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log debug;

timer {
phase1 10 mins;
phase2 10 mins;
}

sainfo anonymous
{
       pfs_group 2;
       lifetime time 2 hour ;
       encryption_algorithm 3des, blowfish 448, rijndael ;
       authentication_algorithm hmac_sha1, hmac_md5 ;
       compression_algorithm deflate ;
}
include "/etc/racoon/10.10.10.11.conf";

after starting ipsec using ifup ipsec0 and pinging

following logs at machine  A comes in /var/log/message

Mar 18 16:29:58 aksha09 racoon: INFO: respond new phase 1 negotiation: 10.10.10.11[500]<=>10.10.10.10[500]
Mar 18 16:29:58 aksha09 racoon: INFO: begin Aggressive mode.
Mar 18 16:29:58 aksha09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Mar 18 16:29:58 aksha09 racoon: INFO: ISAKMP-SA established 10.10.10.11[500]-10.10.10.10[500] spi:95bd9866f617dd5d:a21cefa72b
5a842d
Mar 18 16:29:59 aksha09 racoon: INFO: respond new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
Mar 18 16:30:00 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
Mar 18 16:30:01 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]

as you can see it keeps on trying to initiate new phase 2

similarly for machine B following log comes

Mar 18 16:29:58 aksha08 racoon: INFO: IPsec-SA request for 10.10.10.11 queued due to no phase1 found.
Mar 18 16:29:58 aksha08 racoon: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>10.10.10.11[500]
Mar 18 16:29:58 aksha08 racoon: INFO: begin Aggressive mode.
Mar 18 16:29:58 aksha08 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Mar 18 16:29:58 aksha08 racoon: INFO: ISAKMP-SA established 10.10.10.10[500]-10.10.10.11[500] spi:95bd9866f617dd5d:a21cefa72b
5a842d
Mar 18 16:29:59 aksha08 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
Mar 18 16:30:00 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
Mar 18 16:30:01 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=6958573(0x6a2ded)
Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=263826528(0xfb9ac60)
Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=111998067(0x6acf473)
Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=81856870(0x4e10966)

i checked all config file but could not find any parameter mismatch.

what could be the possible reasons.

with best regards

lalit patel

jimp

This is not a support forum for ipsec-tools and racoon on anything except pfSense, which is running FreeBSD (not a Linux variant). The configuration on pfSense is GUI-based, and the users don't directly edit the configuration file.

You should try posting to a forum or mailing list that is specific to your needs.