Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [2.2] Problem with Dynamic IP on StrongWAN

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blackbinary
      last edited by

      Hi Guys,

      I Updated my APU1.c4 from 2.1.5 to 2.2. Most things worked nicely for me. Except for the package Management that way Buggy until i globaly turnd off IPv6 and more importend: IPSEC.

      • i have a Tunnel to a Pfsense 2.1.5
      • a 2nd one to a Watchguard XTM

      Both Phase 1 stay down with the same Error:

      charon: 16[KNL] <localwanip>is not a local address or the interface is down
      charon: 16[NET] received packet from <remotewanip>[500] to <localwanip[500] on="" ignored="" interface<="" pre="">The Remote pfsense always has a Timeout while waiting for the local IKE package.
      
      I have tried many things, and realized that both tunnels functioning after the pfSense has been restarted. At night, the change of publicIp the connection seems to be completely lost. Restarting the service does not work. After a restart of the entire box of the tunnel is working again.
      
      Can it be that StrongWAN has problems with a dynamic WAN interface?
      
      I even tryed to reinstall the pfsense. But a new Setup ends in the same way.
      
      Here is my exact configuration:
      
      

      Local:

      • Dynamic WAN

      • No-IP DynDNS

      • APU1.C4 Hardware

      • P1
        Key Exchange version : IKE1
        Internet Protocol : IPv4
        Remote gateway : <remote's static="" wanip="">
        Authentication method : Mutual PSK
        Negotiation mode : Agressive

      My identifier : Distinguished Name : <local's dyndns="" name="">
      Peer identifier : <remote's static="" wanip="">
      Pre-Shared Key : <a long="" alphanumeric="" psk="">Encryption algorithm : AES : 256
      Hash algorithm : SHA384
      DH key group  : 5 (1536 bit)
      Lifetime : 28800
      Disable Rekey : NO
      Disable Reauth : NO
      NAT Traversal : AUTO
      Dead Peer Detection : YES : 10 - 5

      • P2
        Mode : Tunnel IPv4
        Local Network : LAN SubNET (172.20.20.0/24) : NO NAT
        Remote Network : 192.168.70.0/24
        Protocol : AES : 256
        Encryption algorithms : AES : 256
        Hash algorithms : SHA384
        PFS key group : 5 (1536 Bit)
        Lifetime : 3600
        Automatically ping host : 192.168.70.1

      Remot:

      • Static IP

      • CARP (I always use the CARP IP)

      • Virtual (2 pfsense on 2 ESXi Hosts)

      • P1
        Internet Protocol : IPv4
        Remote gateway : <local's dyndns="" name="">Authentication method : Mutual PSK
        Negotiation mode : Agressive

      My identifier : <remote's static="" carp="" wanip="">Peer identifier : <local's dyndns="" name="">Pre-Shared Key :</local's></remote's></local's></a> <a long="" alphanumeric="" psk="">

      Encryption algorithm : AES : 256
      Hash algorithm : SHA384
      DH key group  : 5 (1536 bit)
      Lifetime : 28800
      Disable Rekey : NO
      Disable Reauth : NO
      NAT Traversal : AUTO
      Dead Peer Detection : YES : 10 - 5

      • P2
        Mode : Tunnel IPv4
        Local Network : LAN SubNET (192.168.70.0/24) : NO NAT
        Remote Network : 172.20.20.0/24
        Protocol : AES : 256
        Encryption algorithms : AES : 256
        Hash algorithms : SHA384
        PFS key group : 5 (1536 Bit)
        Lifetime : 3600
        Automatically ping host : 172.20.20.1</a></remote's></local's></remote's>
      
      Can Someone help me ? does someone else have sutch problems?
      
      thanks,
      
      Black</a></localwanip[500]></remotewanip></localwanip> 
      
      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        What logs you have when it does not work?

        1 Reply Last reply Reply Quote 0
        • B
          blackbinary
          last edited by

          it is not so easy, atm it works again. i will get you a more detailed log tomorrow or if i can reproduce the Error.

          what are the best debug Settings in 2.2 StrongWAN?  "highest" on all?

          1 Reply Last reply Reply Quote 0
          • B
            blackbinary
            last edited by

            Okay here the log files :

            • 1.1.1.1 means the Local Public IP.
            • 2.2.2.2 means the Remote  Static Public IP
            • 3.3.3.3  - i dont know, probalbly the "old" local IP from yesterday.
            • I can say for sure that my DynDNS was always up to date. I checked it with nslookup on 8.8.8.8.
            • If i restart the IPsec Services there is no Change, the Tunnel does not go up
            • If i restart the entire Box everything works fine until the next IP change.

            Local Site, pf 2.2 , Dynamic IP with DDNS:

            Feb 8 17:00:23	ipsec_starter[51250]: Starting weakSwan 5.2.1 IPsec [starter]...
            Feb 8 17:00:23	ipsec_starter[51250]: no netkey IPsec stack detected
            Feb 8 17:00:23	ipsec_starter[51250]: no KLIPS IPsec stack detected
            Feb 8 17:00:23	ipsec_starter[51250]: no known IPsec stack detected, ignoring!
            Feb 8 17:00:23	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, amd64)
            Feb 8 17:00:24	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
            Feb 8 17:00:24	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
            Feb 8 17:00:24	charon: 00[CFG] ipseckey plugin is disabled
            Feb 8 17:00:24	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
            Feb 8 17:00:24	charon: 00[CFG] loaded ca certificate "XXX'
            Feb 8 17:00:24	charon: 00[CFG] loaded ca certificate "XXX'
            Feb 8 17:00:24	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
            Feb 8 17:00:24	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
            Feb 8 17:00:24	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
            Feb 8 17:00:24	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
            Feb 8 17:00:24	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
            Feb 8 17:00:24	charon: 00[CFG] loaded IKE secret for @%any 2.2.2.2
            Feb 8 17:00:24	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
            Feb 8 17:00:24	charon: 00[CFG] loaded 0 RADIUS server configurations
            Feb 8 17:00:24	charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
            Feb 8 17:00:24	charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
            Feb 8 17:00:24	charon: 00[JOB] spawning 16 worker threads
            Feb 8 17:00:24	ipsec_starter[51801]: charon (51880) started after 80 ms
            Feb 8 17:00:24	charon: 15[CFG] received stroke: add connection 'con1000'
            Feb 8 17:00:24	charon: 15[CFG] added configuration 'con1000'
            Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1000'
            Feb 8 17:00:24	ipsec_starter[51801]: 'con1000' routed
            Feb 8 17:00:24	ipsec_starter[51801]:
            Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1001'
            Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
            Feb 8 17:00:24	charon: 01[CFG] received stroke: route 'con1001'
            Feb 8 17:00:24	ipsec_starter[51801]: 'con1001' routed
            Feb 8 17:00:24	ipsec_starter[51801]:
            Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1002'
            Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
            Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1002'
            Feb 8 17:00:24	ipsec_starter[51801]: 'con1002' routed
            Feb 8 17:00:24	ipsec_starter[51801]:
            Feb 8 17:00:24	charon: 01[CFG] received stroke: add connection 'con1003'
            Feb 8 17:00:24	charon: 01[CFG] added child to existing configuration 'con1000'
            Feb 8 17:00:24	charon: 15[CFG] received stroke: route 'con1003'
            Feb 8 17:00:24	ipsec_starter[51801]: 'con1003' routed
            Feb 8 17:00:24	ipsec_starter[51801]:
            Feb 8 17:00:32	charon: 15[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
            Feb 8 17:00:32	charon: 15[IKE] <con1000|1>initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
            Feb 8 17:00:32	charon: 15[IKE] initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
            Feb 8 17:00:32	charon: 15[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
            Feb 8 17:00:32	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:00:36	charon: 15[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
            Feb 8 17:00:36	charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
            Feb 8 17:00:36	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:00:44	charon: 15[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
            Feb 8 17:00:44	charon: 15[IKE] sending retransmit 2 of request message ID 0, seq 1
            Feb 8 17:00:44	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:00:57	charon: 15[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1
            Feb 8 17:00:57	charon: 15[IKE] sending retransmit 3 of request message ID 0, seq 1
            Feb 8 17:00:57	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:00:57	charon: 15[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
            Feb 8 17:00:57	charon: 14[CFG] ignoring acquire, connection attempt pending
            Feb 8 17:01:20	charon: 14[IKE] <con1000|1>sending retransmit 4 of request message ID 0, seq 1
            Feb 8 17:01:20	charon: 14[IKE] sending retransmit 4 of request message ID 0, seq 1
            Feb 8 17:01:20	charon: 14[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:02:02	charon: 14[IKE] <con1000|1>sending retransmit 5 of request message ID 0, seq 1
            Feb 8 17:02:02	charon: 14[IKE] sending retransmit 5 of request message ID 0, seq 1
            Feb 8 17:02:02	charon: 14[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:03:04	charon: 14[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
            Feb 8 17:03:04	charon: 15[CFG] ignoring acquire, connection attempt pending
            Feb 8 17:03:18	charon: 15[IKE] <con1000|1>giving up after 5 retransmits
            Feb 8 17:03:18	charon: 15[IKE] giving up after 5 retransmits
            Feb 8 17:03:18	charon: 15[IKE] <con1000|1>peer not responding, trying again (2/3)
            Feb 8 17:03:18	charon: 15[IKE] peer not responding, trying again (2/3)
            Feb 8 17:03:18	charon: 15[IKE] <con1000|1>initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
            Feb 8 17:03:18	charon: 15[IKE] initiating Aggressive Mode IKE_SA con1000[1] to 2.2.2.2
            Feb 8 17:03:18	charon: 15[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
            Feb 8 17:03:18	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:03:22	charon: 15[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
            Feb 8 17:03:22	charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
            Feb 8 17:03:22	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:03:27	charon: 14[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {4}
            Feb 8 17:03:27	charon: 14[CFG] ignoring acquire, connection attempt pending
            Feb 8 17:03:29	charon: 06[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
            Feb 8 17:03:29	charon: 06[IKE] sending retransmit 2 of request message ID 0, seq 1
            Feb 8 17:03:29	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:03:42	charon: 06[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1
            Feb 8 17:03:42	charon: 06[IKE] sending retransmit 3 of request message ID 0, seq 1
            Feb 8 17:03:42	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)
            Feb 8 17:04:05	charon: 06[IKE] <con1000|1>sending retransmit 4 of request message ID 0, seq 1
            Feb 8 17:04:05	charon: 06[IKE] sending retransmit 4 of request message ID 0, seq 1
            Feb 8 17:04:05	charon: 06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (461 bytes)</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 
            

            Same Time on the Remote Site, pf 2.1.5 , Static IP:

            Feb 8 17:00:32	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:00:32	racoon: INFO: begin Aggressive mode.
            Feb 8 17:00:32	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:00:32	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:00:32	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:00:32	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:00:32	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:00:32	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:00:32	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:00:32	racoon: ERROR: no suitable proposal found.
            Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:00:32	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:00:34	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:00:36	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:00:36	racoon: INFO: begin Aggressive mode.
            Feb 8 17:00:36	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:00:36	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:00:36	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:00:36	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:00:36	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:00:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:00:36	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:00:36	racoon: ERROR: no suitable proposal found.
            Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:00:36	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:00:40	racoon: ERROR: phase1 negotiation failed due to time up. a8d53e996249d080:0000000000000000
            Feb 8 17:00:44	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:00:44	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:00:44	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:00:44	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:00:44	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:00:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:00:44	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:00:44	racoon: ERROR: no suitable proposal found.
            Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:00:44	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:00:57	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:00:57	racoon: INFO: begin Aggressive mode.
            Feb 8 17:00:57	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:00:57	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:00:57	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:00:57	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:00:57	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:00:57	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:00:57	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:00:57	racoon: ERROR: no suitable proposal found.
            Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:00:57	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:01:00	racoon: [ARGO Joerg Home]: INFO: IPsec-SA request for 94.196.192.40 queued due to no phase1 found.
            Feb 8 17:01:00	racoon: [ARGO Joerg Home]: INFO: initiate new phase 1 negotiation: 178.209.50.28[500]<=>94.196.192.40[500]
            Feb 8 17:01:00	racoon: INFO: begin Aggressive mode.
            Feb 8 17:01:05	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:01:05	racoon: INFO: delete phase 2 handler.
            Feb 8 17:01:11	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
            Feb 8 17:01:11	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
            Feb 8 17:01:11	racoon: INFO: begin Aggressive mode.
            Feb 8 17:01:20	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:01:20	racoon: INFO: begin Aggressive mode.
            Feb 8 17:01:20	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:01:20	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:01:20	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:01:20	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:01:20	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:01:20	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:01:20	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:01:20	racoon: ERROR: no suitable proposal found.
            Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:01:20	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:01:25	racoon: [Aganor_Blacksfriend]: INFO: IPsec-SA request for 85.182.61.74 queued due to no phase1 found.
            Feb 8 17:01:25	racoon: [Aganor_Blacksfriend]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>85.182.61.74[500]
            Feb 8 17:01:25	racoon: INFO: begin Aggressive mode.
            Feb 8 17:01:31	racoon: [ARGO Joerg Home]: [94.196.192.40] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 94.196.192.40[0]->178.209.50.28[0]
            Feb 8 17:01:31	racoon: INFO: delete phase 2 handler.
            Feb 8 17:01:42	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:01:42	racoon: INFO: delete phase 2 handler.
            Feb 8 17:01:50	racoon: ERROR: phase1 negotiation failed due to time up. f6a66ddc2534fc41:0000000000000000
            Feb 8 17:01:50	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:01:50	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:01:56	racoon: [Aganor_Blacksfriend]: [85.182.61.74] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 85.182.61.74[0]->2.2.2.2[0]
            Feb 8 17:01:56	racoon: INFO: delete phase 2 handler.
            Feb 8 17:02:01	racoon: ERROR: phase1 negotiation failed due to time up. e4a16d951d1e3353:0000000000000000
            Feb 8 17:02:02	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:02:02	racoon: INFO: begin Aggressive mode.
            Feb 8 17:02:02	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:02:02	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:02:02	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:02:02	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:02:02	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:02:02	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:02:02	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:02:02	racoon: ERROR: no suitable proposal found.
            Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:02:02	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:02:15	racoon: ERROR: phase1 negotiation failed due to time up. eddaebbe2a686f0f:0000000000000000
            Feb 8 17:02:15	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
            Feb 8 17:02:15	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
            Feb 8 17:02:15	racoon: INFO: begin Aggressive mode.
            Feb 8 17:02:21	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:02:21	racoon: INFO: delete phase 2 handler.
            Feb 8 17:02:22	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:02:22	racoon: INFO: delete phase 2 handler.
            Feb 8 17:02:33	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:02:40	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:02:47	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:02:47	racoon: INFO: delete phase 2 handler.
            Feb 8 17:03:04	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:03:04	racoon: INFO: delete phase 2 handler.
            Feb 8 17:03:05	racoon: ERROR: phase1 negotiation failed due to time up. 7b1f30dd0b53a946:0000000000000000
            Feb 8 17:03:12	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:03:12	racoon: INFO: delete phase 2 handler.
            Feb 8 17:03:15	racoon: [BlackHome]: INFO: IPsec-SA request for 3.3.3.3 queued due to no phase1 found.
            Feb 8 17:03:15	racoon: [BlackHome]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>3.3.3.3[500]
            Feb 8 17:03:15	racoon: INFO: begin Aggressive mode.
            Feb 8 17:03:18	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:03:18	racoon: INFO: begin Aggressive mode.
            Feb 8 17:03:18	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:03:18	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:03:18	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:03:18	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:03:18	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:03:18	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:03:18	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:03:18	racoon: ERROR: no suitable proposal found.
            Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:03:18	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:03:22	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:03:22	racoon: INFO: begin Aggressive mode.
            Feb 8 17:03:22	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:03:22	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:03:22	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:03:22	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:03:22	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:03:22	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:03:22	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:03:22	racoon: ERROR: no suitable proposal found.
            Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:03:22	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:03:29	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:03:29	racoon: INFO: begin Aggressive mode.
            Feb 8 17:03:29	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:03:29	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:03:29	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:03:29	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:03:29	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:03:29	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:03:29	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:03:29	racoon: ERROR: no suitable proposal found.
            Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:03:29	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.Feb 8 17:03:42	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:03:42	racoon: INFO: begin Aggressive mode.
            Feb 8 17:03:42	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:03:42	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:03:42	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:03:42	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:03:42	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:03:42	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:03:42	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:03:42	racoon: ERROR: no suitable proposal found.
            Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:03:42	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            Feb 8 17:03:46	racoon: [BlackHome]: [3.3.3.3] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 3.3.3.3[0]->2.2.2.2[0]
            Feb 8 17:03:46	racoon: INFO: delete phase 2 handler.
            Feb 8 17:03:49	racoon: [BlackHome]: [3.3.3.3] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Feb 8 17:04:05	racoon: ERROR: phase1 negotiation failed due to time up. 10110f7a42388b60:0000000000000000
            Feb 8 17:04:05	racoon: [Self]: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
            Feb 8 17:04:05	racoon: INFO: begin Aggressive mode.
            Feb 8 17:04:05	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
            Feb 8 17:04:05	racoon: INFO: received Vendor ID: DPD
            Feb 8 17:04:05	racoon: INFO: received Vendor ID: CISCO-UNITY
            Feb 8 17:04:05	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            Feb 8 17:04:05	racoon: INFO: received Vendor ID: RFC 3947
            Feb 8 17:04:05	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            Feb 8 17:04:05	racoon: [1.1.1.1] INFO: Selected NAT-T version: RFC 3947
            Feb 8 17:04:05	racoon: ERROR: no suitable proposal found.
            Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: failed to get valid proposal.
            Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
            Feb 8 17:04:05	racoon: [1.1.1.1] ERROR: phase1 negotiation failed.
            
            

            = it looks like i solved the problem by using USERIDs  on the local's ID side.
              But what is the problem with Using DN as ID ? The DNS Lookup WAS/IS okay!

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Probably DNS caches make this not work sometimes, probably the php cache in this instance.

              Anyhow the userid is a better choice in general.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.