Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IP Sec transport mode –- phase 2 keeps on retrying

    IPsec
    2
    2
    3265
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lkpatel last edited by

      Hi all,

      I have connected two linux machine back to back and configured ipsec.
      as per following configuration.

      machine A 10.10.10.11
      machine B 10.10.10.10

      for machine A

      remote 10.10.10.10
      {
             exchange_mode  aggressive,main;
             my_identifier address;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key;
                     dh_group 2 ;
             }
      }

      Racoon IKE daemon configuration file.

      See 'man racoon.conf' for a description of the format and entries.

      path include "/etc/racoon";
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";

      log debug;

      timer{
      phase1 10 mins;
      phase2 10 mins;
      }

      sainfo anonymous
      {
             pfs_group 2;
             lifetime time 2 hour ;
             encryption_algorithm 3des, blowfish 448, rijndael ;
             authentication_algorithm hmac_sha1, hmac_md5 ;
             compression_algorithm deflate ;
      }
      include "/etc/racoon/10.10.10.10.conf";

      similarly for other machine B.

      remote 10.10.10.11
      {
             exchange_mode  main,aggressive;
             my_identifier address;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key;
                     dh_group 2 ;
             }
      }

      Racoon IKE daemon configuration file.

      See 'man racoon.conf' for a description of the format and entries.

      path include "/etc/racoon";
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";

      log debug;

      timer {
      phase1 10 mins;
      phase2 10 mins;
      }

      sainfo anonymous
      {
             pfs_group 2;
             lifetime time 2 hour ;
             encryption_algorithm 3des, blowfish 448, rijndael ;
             authentication_algorithm hmac_sha1, hmac_md5 ;
             compression_algorithm deflate ;
      }
      include "/etc/racoon/10.10.10.11.conf";

      after starting ipsec using ifup ipsec0 and pinging

      following logs at machine  A comes in /var/log/message

      Mar 18 16:29:58 aksha09 racoon: INFO: respond new phase 1 negotiation: 10.10.10.11[500]<=>10.10.10.10[500]
      Mar 18 16:29:58 aksha09 racoon: INFO: begin Aggressive mode.
      Mar 18 16:29:58 aksha09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Mar 18 16:29:58 aksha09 racoon: INFO: ISAKMP-SA established 10.10.10.11[500]-10.10.10.10[500] spi:95bd9866f617dd5d:a21cefa72b
      5a842d
      Mar 18 16:29:59 aksha09 racoon: INFO: respond new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
      Mar 18 16:30:00 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
      Mar 18 16:30:00 aksha09 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
      Mar 18 16:30:01 aksha09 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.11[0]<=>10.10.10.10[0]

      as you can see it keeps on trying to initiate new phase 2

      similarly for machine B following log comes

      Mar 18 16:29:58 aksha08 racoon: INFO: IPsec-SA request for 10.10.10.11 queued due to no phase1 found.
      Mar 18 16:29:58 aksha08 racoon: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>10.10.10.11[500]
      Mar 18 16:29:58 aksha08 racoon: INFO: begin Aggressive mode.
      Mar 18 16:29:58 aksha08 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Mar 18 16:29:58 aksha08 racoon: INFO: ISAKMP-SA established 10.10.10.10[500]-10.10.10.11[500] spi:95bd9866f617dd5d:a21cefa72b
      5a842d
      Mar 18 16:29:59 aksha08 racoon: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=101103277(0x606b6ad)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=119002403(0x717d523)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=223585475(0xd53a4c3)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=201738335(0xc06485f)
      Mar 18 16:30:00 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=52464774(0x3208c86)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=35481871(0x21d690f)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=225626941(0xd72cb3d)
      Mar 18 16:30:00 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=156503716(0x9540ea4)
      Mar 18 16:30:01 aksha08 racoon: INFO: respond new phase 2 negotiation: 10.10.10.10[0]<=>10.10.10.11[0]
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.11->10.10.10.10 spi=6958573(0x6a2ded)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.11->10.10.10.10 spi=263826528(0xfb9ac60)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: AH/Transport 10.10.10.10->10.10.10.11 spi=111998067(0x6acf473)
      Mar 18 16:30:01 aksha08 racoon: INFO: IPsec-SA established: ESP/Transport 10.10.10.10->10.10.10.11 spi=81856870(0x4e10966)

      i checked all config file but could not find any parameter mismatch.

      what could be the possible reasons.

      with best regards

      lalit patel

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        This is not a support forum for ipsec-tools and racoon on anything except pfSense, which is running FreeBSD (not a Linux variant). The configuration on pfSense is GUI-based, and the users don't directly edit the configuration file.

        You should try posting to a forum or mailing list that is specific to your needs.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy