IPsec does not work, force restart Racoon
-
Hi,
I installed and configured Pfsense with a VPN tunnel between two site.
I use IPsec, it correctly fontionne for several months ..But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.
I have some log:
racoon: ERROR: pfkey UPDATE failed: Invalid argument
racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
racoon: INFO: unsupportedracoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: begin Aggressive mode.
racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
racoon: ERROR: no suitable proposal found.
racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947 -
Hi,
I installed and configured Pfsense with a VPN tunnel between two site.
I use IPsec, it correctly fontionne for several months ..But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.
I have some log:
racoon: ERROR: pfkey UPDATE failed: Invalid argument
racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
racoon: INFO: unsupportedracoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: begin Aggressive mode.
racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
racoon: ERROR: no suitable proposal found.
racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947Hi Meezy,
Double check your settings on both sides of the tunnel for lifetime.
Also make sure both sides are set in phase 1 for either Main or Aggressive.I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive.
-E