IPSec tunnel don't work anymore - curious error message

sannny

Hello

I created a IPSec site-to-site tunnel, which was working well. After i made changes to a other tunnel (only the lifetime option), the tunnel don't get up anymore.

Mar 10 13:59:16 	racoon: [xyz]: ERROR: 222.222.222.222 give up to get IPsec-SA due to time up to wait.
Mar 10 13:58:46 	racoon: ERROR: Message: '( G @Fcs B B G =p G G H * Fcs B G G 3 E. G 3 E. Fcs H *\H H G 8H B ?o, C7 l n rG n r G G 8 G2 h G w jG H >i E @ @ 0 4 G 8B X >i G H *, >itE @ @ E H | >itE (H '.
Mar 10 13:58:46 	racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Mar 10 13:58:46 	racoon: [xyz]: INFO: initiate new phase 2 negotiation: 111.111.111.111[500]<=>222.222.222.222[500]
Mar 10 13:58:45 	racoon: [xyz]: INFO: ISAKMP-SA established 111.111.111.111[500]-222.222.222.222[500] spi:d2c60140d817b71c:c1d7d049a1e45599
Mar 10 13:58:45 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 10 13:58:45 	racoon: INFO: received Vendor ID: DPD
Mar 10 13:58:45 	racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 10 13:58:45 	racoon: INFO: begin Identity Protection mode.
Mar 10 13:58:45 	racoon: [xyz]: INFO: initiate new phase 1 negotiation: 111.111.111.111[500]<=>222.222.222.222[500]
Mar 10 13:58:45 	racoon: [xyz]: INFO: IPsec-SA request for 222.222.222.222 queued due to no phase1 found.

Can anybody help me?

Greets, Sannny

sannny

Oh, ehm … i change the PFS option to 2 and now the tunnel is up and running again.
I'm wondering how the tunnel works first with this option set to off ...

Greets, Sannny