Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec does not work, force restart Racoon

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Meezy
      last edited by

      Hi,

      I installed and configured Pfsense with a VPN tunnel between two site.
      I use IPsec, it correctly fontionne for several months ..

      But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

      I have some log:

      racoon: ERROR: pfkey UPDATE failed: Invalid argument
      racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
      racoon: INFO: unsupported

      racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      racoon: INFO: begin Aggressive mode.
      racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
      racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
      racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
      racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
      racoon: ERROR: no suitable proposal found.
      racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

      1 Reply Last reply Reply Quote 0
      • E
        eureka
        last edited by

        @Meezy:

        Hi,

        I installed and configured Pfsense with a VPN tunnel between two site.
        I use IPsec, it correctly fontionne for several months ..

        But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

        I have some log:

        racoon: ERROR: pfkey UPDATE failed: Invalid argument
        racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
        racoon: INFO: unsupported

        racoon: INFO: received broken Microsoft ID: FRAGMENTATION
        racoon: INFO: begin Aggressive mode.
        racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
        racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
        racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
        racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
        racoon: ERROR: no suitable proposal found.
        racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

        Hi Meezy,
        Double check your settings on both sides of the tunnel for lifetime.
        Also make sure both sides are set in phase 1 for either Main or Aggressive.

        I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive.

        -E

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.