Racoon: ERROR: couldn't find configuration?
-
I've got a pfsense box that was working well for quite some time, several months at least. I came in this morning and the tunnel was down and no amount of restarting racoon, rebooting, recreating tunnels seems to work. I changed no settings and I'm the only one with access (in theory). Both boxes are release 1.2.3. Site A has other static site to site tunnels that are fine. Site B has two site to site and both are down. These are what I think are the pertinent logs from each side. When I run:
racoon -F -d -v -f /var/etc/racoon.conf
I get basically the same stuff with a lot of extra code stuff.
Any help would be appreciated. In the mean time I'll probably try setting up OpenVPN site to site as I already have Site A road warrior setup.Site A
Aug 9 16:00:51 racoon: INFO: begin Aggressive mode.
Aug 9 16:00:51 racoon: [Site B VPN]: INFO: initiate new phase 1 negotiation: 24.111.xxx.xxx[500]<=>208.107.xxx.xxx[500]
Aug 9 16:00:51 racoon: [Site B VPN]: INFO: IPsec-SA request for 208.107.xxx.xxx queued due to no phase1 found.
Aug 9 16:00:51 racoon: ERROR: phase1 negotiation failed.
Aug 9 16:00:51 racoon: ERROR: failed to pre-process packet.
Aug 9 16:00:51 racoon: ERROR: failed to get valid proposal.
Aug 9 16:00:51 racoon: ERROR: no suitable proposal found.
Aug 9 16:00:51 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#32) = SHA:MD5
Aug 9 16:00:51 racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#32) = pre-shared key:RSA signatures
Aug 9 16:00:51 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#32) = Blowfish-CBC:AES-CBCSite B Suspect side
Aug 9 15:51:13 racoon: [Site A IPsec VPN]: INFO: initiate new phase 1 negotiation: 208.107.xxx.xxx[500]<=>24.111.xxx.xxx[500]
Aug 9 15:51:13 racoon: [Site A IPsec VPN]: INFO: IPsec-SA request for 24.111.xxx.xxx queued due to no phase1 found.
Aug 9 15:51:03 racoon: ERROR: couldn't find configuration.
Aug 9 15:51:01 racoon: ERROR: failed to begin ipsec sa negotication.
Aug 9 15:51:01 racoon: ERROR: phase1 negotiation failed due to send error. 3bd8aca44d210afb:0000000000000000
Aug 9 15:51:01 racoon: ERROR: sendfromto failed
Aug 9 15:51:01 racoon: INFO: begin Aggressive mode.Oh yeah…
The web interface is accessible from the LAN. Internet functions normally as does NAT. -
The log messages you're showing say you have some mismatched settings between the two connections, and appear severe enough that it never would have worked the way it's currently configured. Since you re-created the connections, I'm guessing something is different now than it used to be. As to what triggered the initial issue, that's hard to say since you've probably lost all logs since then.
-
Ok, here are my /var/etc/racoon.conf files. I deleted the other tunnels that each site has. Site A has other tunnels that work. Site B has one other tunnel that doesn't work. Am I crazy? This doesn't seem to be terribly complicated (pfsense does make it easy!). I do have firewall rules set up in the IPsec tab under firewall rules. Like I said, this was all working fine last week. I'd appreciate any help. Thanks for the reply cmb.
Site A:
listen {
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";path certificate "/var/etc";
remote 208.107.xxx.xxx {
exchange_mode aggressive;
my_identifier address "24.111.yyy.yyy";peers_identifier address 208.107.xxx.xxx;
initial_contact on;
dpd_delay 60;
ike_frag on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 secs;
}
lifetime time 86400 secs;
}sainfo address 192.168.225.0/24 any address 192.168.227.0/24 any {
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 secs;
}Site B:
listen {
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";path certificate "/var/etc";
remote 24.111.yyy.yyy {
exchange_mode aggressive;
my_identifier address "208.107.xxx.xxx";peers_identifier address 24.111.yyy.yyy;
initial_contact on;
dpd_delay 60;
ike_frag on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 secs;
}
lifetime time 86400 secs;
}sainfo address 192.168.227.0/24 any address 192.168.225.0/24 any {
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 secs;
} -
I have abandoned IPsec for OpenVPN. It took a little bit to migrate, but not much. I found a hardware issue that may have been the cause of these errors. I'm using donated gear (this is for a non-profit organization) so the hardware is old and questionable. I think I had a bad NIC and/or a PCI slot died.
-
When I get issues with IPSec to where nothing will bring the tunnel back up, I change the PSK and it works again, I have to do this every 2-3 months. I too am migrating to OpenVPN.