IPSEC- LOGS: racoon: ERROR: not acceptable Identity Protection mode



  • Hi there,

    I have configured my IPSec tunnel between two offices and it works fine. Both the offices uses PFSENSE 1.2-BETA-2 version. The tunnel is up. But when I look at the logs of IPSEC on the main office PFsense I get this racoon error a lot (racoon: ERROR: not acceptable Identity Protection mode) and it repeated continuesly. There is no such errors on the branch office PFSENCE's IPSEC logs. I am not sure why this happens. If anyone can help me out with this, it will be very helpful.

    Some more info about my tunnel.
    –------------------------------

    The main office is configured to accept mobile clients. The racoon config is as follows

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote anonymous {
            exchange_mode aggressive;
            my_identifier address "xx.xx.xx.xx";

    initial_contact on;
            passive on;
            generate_policy on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 1200 secs;
            }
            lifetime time 1200 secs;
    }

    sainfo anonymous {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 1200 secs;
    }

    The pre-shared keys on the main office is /var/etc/psk.txt
    60yorkstreet@abc.com      verysecretpassword

    The branch office's racoon config is as follow:-

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote xx.xx.xx.xx {
            exchange_mode aggressive;
            my_identifier user_fqdn "60yorkstreet@abc.com";

    peers_identifier address xx.xx.xx.xx;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 1200 secs;
            }
            lifetime time 1200 secs;
    }

    sainfo address 192.168.60.0/24 any address 192.168.10.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 1200 secs;
    }

    The pre-shared keys on the branch office is /var/etc/psk.txt
    xx.xx.xx.xx      verysecretpassword


Log in to reply