[2.2] Problem with Dynamic IP on StrongWAN

blackbinary

Hi Guys,

I Updated my APU1.c4 from 2.1.5 to 2.2. Most things worked nicely for me. Except for the package Management that way Buggy until i globaly turnd off IPv6 and more importend: IPSEC.

• i have a Tunnel to a Pfsense 2.1.5
• a 2nd one to a Watchguard XTM

Both Phase 1 stay down with the same Error:

charon: 16[KNL] <localwanip>is not a local address or the interface is down
charon: 16[NET] received packet from <remotewanip>[500] to <localwanip[500] on="" ignored="" interface<="" pre="">The Remote pfsense always has a Timeout while waiting for the local IKE package.

I have tried many things, and realized that both tunnels functioning after the pfSense has been restarted. At night, the change of publicIp the connection seems to be completely lost. Restarting the service does not work. After a restart of the entire box of the tunnel is working again.

Can it be that StrongWAN has problems with a dynamic WAN interface?

I even tryed to reinstall the pfsense. But a new Setup ends in the same way.

Here is my exact configuration:

Local:

• Dynamic WAN

• No-IP DynDNS

• APU1.C4 Hardware

• P1
  Key Exchange version : IKE1
  Internet Protocol : IPv4
  Remote gateway : <remote's static="" wanip="">
  Authentication method : Mutual PSK
  Negotiation mode : Agressive

My identifier : Distinguished Name : <local's dyndns="" name="">
Peer identifier : <remote's static="" wanip="">
Pre-Shared Key : <a long="" alphanumeric="" psk="">Encryption algorithm : AES : 256
Hash algorithm : SHA384
DH key group  : 5 (1536 bit)
Lifetime : 28800
Disable Rekey : NO
Disable Reauth : NO
NAT Traversal : AUTO
Dead Peer Detection : YES : 10 - 5

• P2
  Mode : Tunnel IPv4
  Local Network : LAN SubNET (172.20.20.0/24) : NO NAT
  Remote Network : 192.168.70.0/24
  Protocol : AES : 256
  Encryption algorithms : AES : 256
  Hash algorithms : SHA384
  PFS key group : 5 (1536 Bit)
  Lifetime : 3600
  Automatically ping host : 192.168.70.1

Remot:

• Static IP

• CARP (I always use the CARP IP)

• Virtual (2 pfsense on 2 ESXi Hosts)

• P1
  Internet Protocol : IPv4
  Remote gateway : <local's dyndns="" name="">Authentication method : Mutual PSK
  Negotiation mode : Agressive

My identifier : <remote's static="" carp="" wanip="">Peer identifier : <local's dyndns="" name="">Pre-Shared Key :</local's></remote's></local's></a> <a long="" alphanumeric="" psk="">

Encryption algorithm : AES : 256
Hash algorithm : SHA384
DH key group  : 5 (1536 bit)
Lifetime : 28800
Disable Rekey : NO
Disable Reauth : NO
NAT Traversal : AUTO
Dead Peer Detection : YES : 10 - 5

• P2
  Mode : Tunnel IPv4
  Local Network : LAN SubNET (192.168.70.0/24) : NO NAT
  Remote Network : 172.20.20.0/24
  Protocol : AES : 256
  Encryption algorithms : AES : 256
  Hash algorithms : SHA384
  PFS key group : 5 (1536 Bit)
  Lifetime : 3600
  Automatically ping host : 172.20.20.1</a></remote's></local's></remote's>

Can Someone help me ? does someone else have sutch problems?

thanks,

Black</a></localwanip[500]></remotewanip></localwanip> 

eri--

What logs you have when it does not work?

blackbinary

it is not so easy, atm it works again. i will get you a more detailed log tomorrow or if i can reproduce the Error.

what are the best debug Settings in 2.2 StrongWAN?  "highest" on all?

blackbinary

Okay here the log files :

• 1.1.1.1 means the Local Public IP.
• 2.2.2.2 means the Remote  Static Public IP
• 3.3.3.3  - i dont know, probalbly the "old" local IP from yesterday.
• I can say for sure that my DynDNS was always up to date. I checked it with nslookup on 8.8.8.8.
• If i restart the IPsec Services there is no Change, the Tunnel does not go up
• If i restart the entire Box everything works fine until the next IP change.

Local Site, pf 2.2 , Dynamic IP with DDNS:

Feb 8 17:00:23	ipsec_starter[51250]: Starting weakSwan 5.2.1 IPsec [starter]...
Feb 8 17:00:23	ipsec_starter[51250]: no netkey IPsec stack detected
Feb 8 17:00:23	ipsec_starter[51250]: no KLIPS IPsec stack detected
Feb 8 17:00:23	ipsec_starter[51250]: no known IPsec stack detected, ignoring!
Feb 8 17:00:23	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, amd64)
Feb 8 17:00:24	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Feb 8 17:00:24	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Feb 8 17:00:24	charon: 00[CFG] ipseckey plugin is disabled
Feb 8 17:00:24	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Feb 8 17:00:24	charon: 00[CFG] loaded ca certificate "XXX'
Feb 8 17:00:24	charon: 00[CFG] loaded ca certificate "XXX'
Feb 8 17:00:24	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Feb 8 17:00:24	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Feb 8 17:00:24	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Feb 8 17:00:24	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Feb 8 17:00:24	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Feb 8 17:00:24	charon: 00[CFG] loaded IKE secret for @%any 2.2.2.2
Feb 8 17:00:24	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Feb 8 17:00:24	charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 8 17:00:24	charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Feb 8 17:00:24	charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
Feb 8 17:00:24	charon: 00[JOB] spawning 16 worker threads
Feb 8 17:00:24	ipsec_starter[51801]: charon (51880) started after 80 ms
Feb 8 17:00:24	charon: 15[CFG] received stroke: add connection 'con1000'
Feb 8 17:00:24	charon: 15[CFG] added configuration 'con1000'
Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1000'
Feb 8 17:00:24	ipsec_starter[51801]: 'con1000' routed
Feb 8 17:00:24	ipsec_starter[51801]:
Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1001'
Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
Feb 8 17:00:24	charon: 01[CFG] received stroke: route 'con1001'
Feb 8 17:00:24	ipsec_starter[51801]: 'con1001' routed
Feb 8 17:00:24	ipsec_starter[51801]:
Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1002'
Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1002'
Feb 8 17:00:24	ipsec_starter[51801]: 'con1002' routed
Feb 8 17:00:24	ipsec_starter[51801]:
Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1003'
Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1003'
Feb 8 17:00:24	ipsec_starter[51801]: 'con1003' routed
Feb 8 17:00:24	ipsec_starter[51801]:
Feb 8 17:00:32	charon: 15[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
Feb 8 17:00:32	charon: 15[IKE] <con1000|1>initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
Feb 8 17:00:32	charon: 15[IKE] initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
Feb 8 17:00:32	charon: 15[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 8 17:00:32	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:00:36	charon: 15[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
Feb 8 17:00:36	charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
Feb 8 17:00:36	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:00:44	charon: 15[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
Feb 8 17:00:44	charon: 15[IKE] sending retransmit 2 of request message ID 0, seq 1
Feb 8 17:00:44	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:00:57	charon: 15[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1
Feb 8 17:00:57	charon: 15[IKE] sending retransmit 3 of request message ID 0, seq 1
Feb 8 17:00:57	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:00:57	charon: 15[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
Feb 8 17:00:57	charon: 14[CFG] ignoring acquire, connection attempt pending
Feb 8 17:01:20	charon: 14[IKE] <con1000|1>sending retransmit 4 of request message ID 0, seq 1
Feb 8 17:01:20	charon: 14[IKE] sending retransmit 4 of request message ID 0, seq 1
Feb 8 17:01:20	charon: 14[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:02:02	charon: 14[IKE] <con1000|1>sending retransmit 5 of request message ID 0, seq 1
Feb 8 17:02:02	charon: 14[IKE] sending retransmit 5 of request message ID 0, seq 1
Feb 8 17:02:02	charon: 14[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:03:04	charon: 14[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
Feb 8 17:03:04	charon: 15[CFG] ignoring acquire, connection attempt pending
Feb 8 17:03:18	charon: 15[IKE] <con1000|1>giving up after 5 retransmits
Feb 8 17:03:18	charon: 15[IKE] giving up after 5 retransmits
Feb 8 17:03:18	charon: 15[IKE] <con1000|1>peer not responding, trying again (2/3)
Feb 8 17:03:18	charon: 15[IKE] peer not responding, trying again (2/3)
Feb 8 17:03:18	charon: 15[IKE] <con1000|1>initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
Feb 8 17:03:18	charon: 15[IKE] initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
Feb 8 17:03:18	charon: 15[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 8 17:03:18	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:03:22	charon: 15[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
Feb 8 17:03:22	charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
Feb 8 17:03:22	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:03:27	charon: 14[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
Feb 8 17:03:27	charon: 14[CFG] ignoring acquire, connection attempt pending
Feb 8 17:03:29	charon: 06[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
Feb 8 17:03:29	charon: 06[IKE] sending retransmit 2 of request message ID 0, seq 1
Feb 8 17:03:29	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:03:42	charon: 06[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1
Feb 8 17:03:42	charon: 06[IKE] sending retransmit 3 of request message ID 0, seq 1
Feb 8 17:03:42	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
Feb 8 17:04:05	charon: 06[IKE] <con1000|1>sending retransmit 4 of request message ID 0, seq 1
Feb 8 17:04:05	charon: 06[IKE] sending retransmit 4 of request message ID 0, seq 1
Feb 8 17:04:05	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 

Same Time on the Remote Site, pf 2.1.5 , Static IP:

Feb 8 17:00:32	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:00:32	racoon: INFO: begin Aggressive mode.
Feb 8 17:00:32	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:00:32	racoon: INFO: received Vendor ID: DPD
Feb 8 17:00:32	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:00:32	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:00:32	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:00:32	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:00:32	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:00:32	racoon: ERROR: no suitable proposal found.
Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:00:34	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:00:36	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:00:36	racoon: INFO: begin Aggressive mode.
Feb 8 17:00:36	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:00:36	racoon: INFO: received Vendor ID: DPD
Feb 8 17:00:36	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:00:36	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:00:36	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:00:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:00:36	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:00:36	racoon: ERROR: no suitable proposal found.
Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:00:40	racoon: ERROR: phase1 negotiation failed due to time up. a8d53e996249d080:0000000000000000
Feb 8 17:00:44	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:00:44	racoon: INFO: received Vendor ID: DPD
Feb 8 17:00:44	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:00:44	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:00:44	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:00:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:00:44	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:00:44	racoon: ERROR: no suitable proposal found.
Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:00:57	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:00:57	racoon: INFO: begin Aggressive mode.
Feb 8 17:00:57	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:00:57	racoon: INFO: received Vendor ID: DPD
Feb 8 17:00:57	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:00:57	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:00:57	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:00:57	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:00:57	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:00:57	racoon: ERROR: no suitable proposal found.
Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:01:00	racoon: [ARGO Joerg Home]: INFO: IPsec-SA request for 94.196.192.40 queued due to no phase1 found.
Feb 8 17:01:00	racoon: [ARGO Joerg Home]: INFO: initiate new phase 1 negotiation: 178.209.50.28[500]<=>94.196.192.40[500]
Feb 8 17:01:00	racoon: INFO: begin Aggressive mode.
Feb 8 17:01:05	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:01:05	racoon: INFO: delete phase 2 handler.
Feb 8 17:01:11	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
Feb 8 17:01:11	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
Feb 8 17:01:11	racoon: INFO: begin Aggressive mode.
Feb 8 17:01:20	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:01:20	racoon: INFO: begin Aggressive mode.
Feb 8 17:01:20	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:01:20	racoon: INFO: received Vendor ID: DPD
Feb 8 17:01:20	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:01:20	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:01:20	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:01:20	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:01:20	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:01:20	racoon: ERROR: no suitable proposal found.
Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:01:25	racoon: [Aganor_Blacksfriend]: INFO: IPsec-SA request for 85.182.61.74 queued due to no phase1 found.
Feb 8 17:01:25	racoon: [Aganor_Blacksfriend]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>85.182.61.74[500]
Feb 8 17:01:25	racoon: INFO: begin Aggressive mode.
Feb 8 17:01:31	racoon: [ARGO Joerg Home]: [94.196.192.40] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 94.196.192.40[0]->178.209.50.28[0]
Feb 8 17:01:31	racoon: INFO: delete phase 2 handler.
Feb 8 17:01:42	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:01:42	racoon: INFO: delete phase 2 handler.
Feb 8 17:01:50	racoon: ERROR: phase1 negotiation failed due to time up. f6a66ddc2534fc41:0000000000000000
Feb 8 17:01:50	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:01:50	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:01:56	racoon: [Aganor_Blacksfriend]: [85.182.61.74] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 85.182.61.74[0]->2.2.2.2[0]
Feb 8 17:01:56	racoon: INFO: delete phase 2 handler.
Feb 8 17:02:01	racoon: ERROR: phase1 negotiation failed due to time up. e4a16d951d1e3353:0000000000000000
Feb 8 17:02:02	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:02:02	racoon: INFO: begin Aggressive mode.
Feb 8 17:02:02	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:02:02	racoon: INFO: received Vendor ID: DPD
Feb 8 17:02:02	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:02:02	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:02:02	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:02:02	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:02:02	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:02:02	racoon: ERROR: no suitable proposal found.
Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:02:15	racoon: ERROR: phase1 negotiation failed due to time up. eddaebbe2a686f0f:0000000000000000
Feb 8 17:02:15	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
Feb 8 17:02:15	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
Feb 8 17:02:15	racoon: INFO: begin Aggressive mode.
Feb 8 17:02:21	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:02:21	racoon: INFO: delete phase 2 handler.
Feb 8 17:02:22	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:02:22	racoon: INFO: delete phase 2 handler.
Feb 8 17:02:33	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:02:40	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:02:47	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:02:47	racoon: INFO: delete phase 2 handler.
Feb 8 17:03:04	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:03:04	racoon: INFO: delete phase 2 handler.
Feb 8 17:03:05	racoon: ERROR: phase1 negotiation failed due to time up. 7b1f30dd0b53a946:0000000000000000
Feb 8 17:03:12	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:03:12	racoon: INFO: delete phase 2 handler.
Feb 8 17:03:15	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
Feb 8 17:03:15	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
Feb 8 17:03:15	racoon: INFO: begin Aggressive mode.
Feb 8 17:03:18	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:03:18	racoon: INFO: begin Aggressive mode.
Feb 8 17:03:18	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:03:18	racoon: INFO: received Vendor ID: DPD
Feb 8 17:03:18	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:03:18	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:03:18	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:03:18	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:03:18	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:03:18	racoon: ERROR: no suitable proposal found.
Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:03:22	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:03:22	racoon: INFO: begin Aggressive mode.
Feb 8 17:03:22	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:03:22	racoon: INFO: received Vendor ID: DPD
Feb 8 17:03:22	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:03:22	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:03:22	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:03:22	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:03:22	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:03:22	racoon: ERROR: no suitable proposal found.
Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:03:29	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:03:29	racoon: INFO: begin Aggressive mode.
Feb 8 17:03:29	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:03:29	racoon: INFO: received Vendor ID: DPD
Feb 8 17:03:29	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:03:29	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:03:29	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:03:29	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:03:29	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:03:29	racoon: ERROR: no suitable proposal found.
Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.Feb 8 17:03:42	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:03:42	racoon: INFO: begin Aggressive mode.
Feb 8 17:03:42	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:03:42	racoon: INFO: received Vendor ID: DPD
Feb 8 17:03:42	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:03:42	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:03:42	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:03:42	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:03:42	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:03:42	racoon: ERROR: no suitable proposal found.
Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
Feb 8 17:03:46	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
Feb 8 17:03:46	racoon: INFO: delete phase 2 handler.
Feb 8 17:03:49	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 8 17:04:05	racoon: ERROR: phase1 negotiation failed due to time up. 10110f7a42388b60:0000000000000000
Feb 8 17:04:05	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Feb 8 17:04:05	racoon: INFO: begin Aggressive mode.
Feb 8 17:04:05	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 8 17:04:05	racoon: INFO: received Vendor ID: DPD
Feb 8 17:04:05	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 8 17:04:05	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 8 17:04:05	racoon: INFO: received Vendor ID: RFC 3947
Feb 8 17:04:05	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 8 17:04:05	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
Feb 8 17:04:05	racoon: ERROR: no suitable proposal found.
Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.

= it looks like i solved the problem by using USERIDs  on the local's ID side.
  But what is the problem with Using DN as ID ? The DNS Lookup WAS/IS okay!

eri--

Probably DNS caches make this not work sometimes, probably the php cache in this instance.

Anyhow the userid is a better choice in general.