4. IPsec does not work, force restart Racoon

IPsec does not work, force restart Racoon

  • M

    Hi,

    I installed and configured Pfsense with a VPN tunnel between two site.
    I use IPsec, it correctly fontionne for several months ..

    But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

    I have some log:

    racoon: ERROR: pfkey UPDATE failed: Invalid argument
    racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
    racoon: INFO: unsupported

    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: begin Aggressive mode.
    racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
    racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
    racoon: ERROR: no suitable proposal found.
    racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

    0
  • E

    @Meezy:

    Hi,

    I installed and configured Pfsense with a VPN tunnel between two site.
    I use IPsec, it correctly fontionne for several months ..

    But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

    I have some log:

    racoon: ERROR: pfkey UPDATE failed: Invalid argument
    racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
    racoon: INFO: unsupported

    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: begin Aggressive mode.
    racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
    racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
    racoon: ERROR: no suitable proposal found.
    racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

    Hi Meezy,
    Double check your settings on both sides of the tunnel for lifetime.
    Also make sure both sides are set in phase 1 for either Main or Aggressive.

    I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive.

    -E

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy