Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with ipsec in main mode

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 17.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blueice
      last edited by

      Hi,
      i have 2 pfsense installs (both have 1.2 release)
      I have setup in aggressive mode a vpn  channel and work fine.
      But if i change this to main (only this change, all the remain config is the same) then i have this errors:

      racoon: ERROR: phase1 negotiation failed.
      racoon: ERROR: failed to process packet.
      racoon: ERROR: couldn't find the pskey for 88.88.88.88.
      racoon: INFO: received Vendor ID: DPD
      racoon: INFO: begin Identity Protection mode.
      racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 77.77.77.77[500]<=>88.88.88.88[500]
      

      in the client site the logs is:

      racoon: ERROR: phase1 negotiation failed due to time up. 262dd3c71e164259:7449f4a01dabf8d9
      racoon: []: INFO: phase2 sa deleted 88.88.88.88-77.77.77.77
      racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      racoon: []: INFO: phase2 sa expired 88.88.88.88-77.77.77.77
      racoon: []: INFO: phase2 sa deleted 88.88.88.88-77.77.77.77
      racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      racoon: []: INFO: phase2 sa expired 88.88.88.88-77.77.77.77
      racoon: INFO: received Vendor ID: DPD
      racoon: INFO: begin Identity Protection mode.
      racoon: []: INFO: initiate new phase 1 negotiation: 88.88.88.88[500]<=>77.77.77.77[500]
      racoon: []: INFO: IPsec-SA request for 77.77.77.77 queued due to no phase1 found.
      racoon: INFO: delete phase 2 handler.
      racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 77.77.77.77[0]->88.88.88.88[0]
      racoon: ERROR: phase1 negotiation failed due to time up. e6fb5d325ef6d5a4:48cad08db515f094
      

      the server 88.88.88.88 have dynamic ip
      my config is: main-3des-md5-dh2-lifetime8000-preshared_key-ESP-pfs_off.
      I hope my config is ok because if i change only the main to agressive in both server the vpn is working fine.

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        for my tests dynamic endpoints and the main mode are not running.

        greetings
        heiko

        1 Reply Last reply Reply Quote 0
        • B
          blueice
          last edited by

          @heiko:

          for my tests dynamic endpoints and the main mode are not running.

          greetings
          heiko

          oh, so it is bug.
          you have test this in previous versions? All versions have this problem?

          1 Reply Last reply Reply Quote 0
          • H
            heiko
            last edited by

            What Do you mean "all Versions", you have to choose only 1.2release or do you mean, beta, rcxx etc….

            Static Endpoints and the main mode works fine and stable.
            But maybe the other folks here have tested it successfully.....Could be!

            Greetings
            Heiko

            1 Reply Last reply Reply Quote 0
            • B
              blueice
              last edited by

              @heiko:

              What Do you mean "all Versions", you have to choose only 1.2release or do you mean, beta, rcxx etc….

              Static Endpoints and the main mode works fine and stable.
              But maybe the other folks here have tested it successfully.....Could be!

              Greetings
              Heiko

              yes i mean the 1.0.1 and the beta and rc.
              You have try to have mobile clients with aggressive and static with main in the same server? it is possible?
              Thanks for all the help.

              1 Reply Last reply Reply Quote 0
              • H
                heiko
                last edited by

                1.0.1 and the other version haven´t support….

                http://blog.pfsense.org/?p=170

                Support for previous versions

                1.2 is the only supported pfSense version. No previous releases will receive any bug fix updates nor any future security updates. 1.2 is significantly more stable than past release versions, and we strongly recommend everyone make plans to upgrade. There are systems out there with several years of uptime running very early alpha pfSense releases that are stable, but we advise against that.

                Yes, if the pfsense wan is static, you can have mixed main and agressive tunnels..

                Please look also here http://doc.pfsense.org/index.php/VPN_Capability_IPSec

                Greetings
                Heiko

                1 Reply Last reply Reply Quote 0
                • F
                  fastcon68
                  last edited by

                  I have seen that error before when the ends of the tunnel are mismatched.  One being main and the other agressive.  I have seen it when I am first setting up the ipsec connections between symantec, linksys, & netgear boxes.
                  RC

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.