1. Home
  2. pfSense® Software
  3. IPsec
  4. IPsec does not work, force restart Racoon

IPsec does not work, force restart Racoon

  • M

    Hi,

    I installed and configured Pfsense with a VPN tunnel between two site.
    I use IPsec, it correctly fontionne for several months ..

    But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

    I have some log:

    racoon: ERROR: pfkey UPDATE failed: Invalid argument
    racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
    racoon: INFO: unsupported

    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: begin Aggressive mode.
    racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
    racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
    racoon: ERROR: no suitable proposal found.
    racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

    0
  • E

    @Meezy:

    Hi,

    I installed and configured Pfsense with a VPN tunnel between two site.
    I use IPsec, it correctly fontionne for several months ..

    But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

    I have some log:

    racoon: ERROR: pfkey UPDATE failed: Invalid argument
    racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
    racoon: INFO: unsupported

    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: begin Aggressive mode.
    racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
    racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
    racoon: ERROR: no suitable proposal found.
    racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

    Hi Meezy,
    Double check your settings on both sides of the tunnel for lifetime.
    Also make sure both sides are set in phase 1 for either Main or Aggressive.

    I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive.

    -E

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy