Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Racoon: ERROR: couldn't find configuration?

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DaninND
      last edited by

      I've got a pfsense box that was working well for quite some time, several months at least. I came in this morning and the tunnel was down and no amount of restarting racoon, rebooting, recreating tunnels seems to work. I changed no settings and I'm the only one with access (in theory). Both boxes are release 1.2.3. Site A has other static site to site tunnels that are fine. Site B has two site to site and both are down. These are what I think are the pertinent logs from each side. When I run:
      racoon -F -d -v -f /var/etc/racoon.conf
      I get basically the same stuff with a lot of extra code stuff.
      Any help would be appreciated. In the mean time I'll probably try setting up OpenVPN site to site as I already have Site A road warrior setup.

      Site A
      Aug 9 16:00:51 racoon: INFO: begin Aggressive mode.
      Aug 9 16:00:51 racoon: [Site B VPN]: INFO: initiate new phase 1 negotiation: 24.111.xxx.xxx[500]<=>208.107.xxx.xxx[500]
      Aug 9 16:00:51 racoon: [Site B VPN]: INFO: IPsec-SA request for 208.107.xxx.xxx queued due to no phase1 found.
      Aug 9 16:00:51 racoon: ERROR: phase1 negotiation failed.
      Aug 9 16:00:51 racoon: ERROR: failed to pre-process packet.
      Aug 9 16:00:51 racoon: ERROR: failed to get valid proposal.
      Aug 9 16:00:51 racoon: ERROR: no suitable proposal found.
      Aug 9 16:00:51 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#32) = SHA:MD5
      Aug 9 16:00:51 racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#32) = pre-shared key:RSA signatures
      Aug 9 16:00:51 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#32) = Blowfish-CBC:AES-CBC

      Site B Suspect side
      Aug 9 15:51:13 racoon: [Site A IPsec VPN]: INFO: initiate new phase 1 negotiation: 208.107.xxx.xxx[500]<=>24.111.xxx.xxx[500]
      Aug 9 15:51:13 racoon: [Site A IPsec VPN]: INFO: IPsec-SA request for 24.111.xxx.xxx queued due to no phase1 found.
      Aug 9 15:51:03 racoon: ERROR: couldn't find configuration.
      Aug 9 15:51:01 racoon: ERROR: failed to begin ipsec sa negotication.
      Aug 9 15:51:01 racoon: ERROR: phase1 negotiation failed due to send error. 3bd8aca44d210afb:0000000000000000
      Aug 9 15:51:01 racoon: ERROR: sendfromto failed
      Aug 9 15:51:01 racoon: INFO: begin Aggressive mode.

      Oh yeah…
      The web interface is accessible from the LAN. Internet functions normally as does NAT.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        The log messages you're showing say you have some mismatched settings between the two connections, and appear severe enough that it never would have worked the way it's currently configured. Since you re-created the connections, I'm guessing something is different now than it used to be. As to what triggered the initial issue, that's hard to say since you've probably lost all logs since then.

        1 Reply Last reply Reply Quote 0
        • D
          DaninND
          last edited by

          Ok, here are my /var/etc/racoon.conf files. I deleted the other tunnels that each site has. Site A has other tunnels that work. Site B has one other tunnel that doesn't work. Am I crazy? This doesn't seem to be terribly complicated (pfsense does make it easy!). I do have firewall rules set up in the IPsec tab under firewall rules. Like I said, this was all working fine last week. I'd appreciate any help. Thanks for the reply cmb.

          Site A:

          listen {
          adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
          }
          path pre_shared_key "/var/etc/psk.txt";

          path certificate  "/var/etc";

          remote 208.107.xxx.xxx {
          exchange_mode aggressive;
          my_identifier address "24.111.yyy.yyy";

          peers_identifier address 208.107.xxx.xxx;
          initial_contact on;
          dpd_delay 60;
          ike_frag on;
          support_proxy on;
          proposal_check obey;

          proposal {
          encryption_algorithm blowfish;
          hash_algorithm sha1;
          authentication_method pre_shared_key;
          dh_group 2;
          lifetime time 86400 secs;
          }
          lifetime time 86400 secs;
          }

          sainfo address 192.168.225.0/24 any address 192.168.227.0/24 any {
          encryption_algorithm blowfish;
          authentication_algorithm hmac_sha1;
          compression_algorithm deflate;
          lifetime time 3600 secs;
          }

          Site B:

          listen {
          adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
          }
          path pre_shared_key "/var/etc/psk.txt";

          path certificate  "/var/etc";

          remote 24.111.yyy.yyy {
          exchange_mode aggressive;
          my_identifier address "208.107.xxx.xxx";

          peers_identifier address 24.111.yyy.yyy;
          initial_contact on;
          dpd_delay 60;
          ike_frag on;
          support_proxy on;
          proposal_check obey;

          proposal {
          encryption_algorithm blowfish;
          hash_algorithm sha1;
          authentication_method pre_shared_key;
          dh_group 2;
          lifetime time 86400 secs;
          }
          lifetime time 86400 secs;
          }

          sainfo address 192.168.227.0/24 any address 192.168.225.0/24 any {
          encryption_algorithm blowfish;
          authentication_algorithm hmac_sha1;
          compression_algorithm deflate;
          lifetime time 3600 secs;
          }

          1 Reply Last reply Reply Quote 0
          • D
            DaninND
            last edited by

            I have abandoned IPsec for OpenVPN. It took a little bit to migrate, but not much. I found a hardware issue that may have been the cause of these errors. I'm using donated gear (this is for a non-profit organization) so the hardware is old and questionable. I think I had a bad NIC and/or a PCI slot died.

            1 Reply Last reply Reply Quote 0
            • X
              XIII
              last edited by

              When I get issues with IPSec to where nothing will bring the tunnel back up, I change the PSK and it works again, I have to do this every 2-3 months. I too am migrating to OpenVPN.

              -Chris Stutzman
              Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
              Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
              freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
              Check out the pfSense Wiki

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.