IPsec error : Invalid exchange type 251
-
Hi,
I am using pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.
I have 3 IPsec VPNs.
2 of them are working, but one of them is working randomly with error. The equipment which is on the remote site is Bintec X2250.
Here the log
May 6 10:18:54 racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040]. May 6 10:18:49 racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040]. May 6 10:18:44 racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 251 from X.X.X.X[36040]. May 6 10:18:40 racoon: [Portugal]: INFO: IPsec-SA established: ESP Y.Y.Y.Y[500]->X.X.X.X[500] spi=759568058(0x2d4616ba) May 6 10:18:40 racoon: [Portugal]: INFO: IPsec-SA established: ESP Y.Y.Y.Y[500]->X.X.X.X[500] spi=261447910(0xf9560e6) May 6 10:18:40 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 6 10:18:40 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 6 10:18:39 racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443). May 6 10:18:39 racoon: [Portugal]: INFO: initiate new phase 2 negotiation: Y.Y.Y.Y[4500]<=>X.X.X.X[36040]I also have this error
May 6 10:18:39 racoon: ERROR: Invalid exchange type 251 from Y.Y.Y.Y [36040].It works, but after few hours or few days, the connection appears as up in pfsense but no communication can go through the VPN. I think I made a misconfiguration but everything match on both side. I cannot find any information about exchange type 251, any idea ?
Elodie
-
Any idea ?
-
We change the bintec on the remote site to pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.
I still have issue, not the same but… It seems that when the internet access going down for few second, the IpSEC tunnel going down as weel and cannot go up again.
Here some logs
Jun 23 13:38:19 racoon: ERROR: phase1 negotiation failed due to time up. 053074ceaa752ba7:0000000000000000 Jun 23 13:38:17 racoon: [Portugal]: [Y.Y.Y.Y] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jun 23 13:38:01 racoon: INFO: delete phase 2 handler. Jun 23 13:38:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:37:29 racoon: INFO: begin Aggressive mode. Jun 23 13:37:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:37:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 13:37:19 racoon: ERROR: phase1 negotiation failed due to time up. 65f6398b3e16ea16:0000000000000000 Jun 23 13:37:01 racoon: INFO: delete phase 2 handler. Jun 23 13:37:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:36:29 racoon: INFO: begin Aggressive mode. Jun 23 13:36:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:36:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=83767616(0x4fe3140) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=183173812(0xaeb02b4) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=167828318(0xa00db5e) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=178809086(0xaa868fe) Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA deleted X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6 Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA expired X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6