IPSec tunnel don't work anymore - curious error message
-
Hello
I created a IPSec site-to-site tunnel, which was working well. After i made changes to a other tunnel (only the lifetime option), the tunnel don't get up anymore.
Mar 10 13:59:16 racoon: [xyz]: ERROR: 222.222.222.222 give up to get IPsec-SA due to time up to wait. Mar 10 13:58:46 racoon: ERROR: Message: '( G @Fcs B B G =p G G H * Fcs B G G 3 E. G 3 E. Fcs H *\H H G 8H B ?o, C7 l n rG n r G G 8 G2 h G w jG H >i E @ @ 0 4 G 8B X >i G H *, >itE @ @ E H | >itE (H '. Mar 10 13:58:46 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Mar 10 13:58:46 racoon: [xyz]: INFO: initiate new phase 2 negotiation: 111.111.111.111[500]<=>222.222.222.222[500] Mar 10 13:58:45 racoon: [xyz]: INFO: ISAKMP-SA established 111.111.111.111[500]-222.222.222.222[500] spi:d2c60140d817b71c:c1d7d049a1e45599 Mar 10 13:58:45 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 10 13:58:45 racoon: INFO: received Vendor ID: DPD Mar 10 13:58:45 racoon: INFO: received Vendor ID: CISCO-UNITY Mar 10 13:58:45 racoon: INFO: begin Identity Protection mode. Mar 10 13:58:45 racoon: [xyz]: INFO: initiate new phase 1 negotiation: 111.111.111.111[500]<=>222.222.222.222[500] Mar 10 13:58:45 racoon: [xyz]: INFO: IPsec-SA request for 222.222.222.222 queued due to no phase1 found.Can anybody help me?
Greets, Sannny
-
Oh, ehm … i change the PFS option to 2 and now the tunnel is up and running again.
I'm wondering how the tunnel works first with this option set to off ...Greets, Sannny