IPsec error : Invalid exchange type 251

Elodie

Hi,

I am using pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.

I have 3 IPsec VPNs.

2 of them are working, but one of them is working randomly with error. The equipment which is on the remote site is Bintec X2250.

Here the log

May 6 10:18:54 	racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040].
May 6 10:18:49 	racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040].
May 6 10:18:44 	racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040].
May 6 10:18:40 	racoon: [Portugal]: INFO: IPsec-SA established: ESP Y.Y.Y.Y[500]->X.X.X.X[500] spi=759568058(0x2d4616ba)
May 6 10:18:40 	racoon: [Portugal]: INFO: IPsec-SA established: ESP Y.Y.Y.Y[500]->X.X.X.X[500] spi=261447910(0xf9560e6)
May 6 10:18:40 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 6 10:18:40 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 6 10:18:39 	racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
May 6 10:18:39 	racoon: [Portugal]: INFO: initiate new phase 2 negotiation: Y.Y.Y.Y[4500]<=>X.X.X.X[36040]

I also have this error

May 6 10:18:39 	racoon: ERROR: Invalid exchange type 251 from Y.Y.Y.Y [36040].

It works, but after few hours or few days, the connection appears as up in pfsense but no communication can go through the VPN. I think I made a misconfiguration but everything match on both side. I cannot find any information about exchange type 251, any idea ?

Elodie

Elodie

Any idea ?

Elodie

We change the bintec on the remote site to pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.

I still have issue, not the same but… It seems that when the internet access going down for few second, the IpSEC tunnel going down as weel and cannot go up again.

Here some logs


Jun 23 13:38:19 	racoon: ERROR: phase1 negotiation failed due to time up. 053074ceaa752ba7:0000000000000000
Jun 23 13:38:17 	racoon: [Portugal]: [Y.Y.Y.Y] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jun 23 13:38:01 	racoon: INFO: delete phase 2 handler.
Jun 23 13:38:01 	racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0]
Jun 23 13:37:29 	racoon: INFO: begin Aggressive mode.
Jun 23 13:37:29 	racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jun 23 13:37:29 	racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found.
Jun 23 13:37:19 	racoon: ERROR: phase1 negotiation failed due to time up. 65f6398b3e16ea16:0000000000000000
Jun 23 13:37:01 	racoon: INFO: delete phase 2 handler.
Jun 23 13:37:01 	racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0]
Jun 23 13:36:29 	racoon: INFO: begin Aggressive mode.
Jun 23 13:36:29 	racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jun 23 13:36:29 	racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found.
Jun 23 12:00:21 	racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=83767616(0x4fe3140)
Jun 23 12:00:21 	racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=183173812(0xaeb02b4)
Jun 23 12:00:21 	racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=167828318(0xa00db5e)
Jun 23 12:00:21 	racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=178809086(0xaa868fe)
Jun 23 10:24:15 	racoon: [Portugal]: INFO: ISAKMP-SA deleted X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6
Jun 23 10:24:15 	racoon: [Portugal]: INFO: ISAKMP-SA expired X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6