Couldn't find the proper pskey



  • Hello everyone,

    I'm trying to setup the site-to-site ipsec vpn with static ip addresses on both ends. I managed to get the tunnel up and running and I can ping the workstation from site A to side B and site B to site A. However I keep getting this error message ( racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address) in the IPSEC VPN log. I've attached serveral images for you to look at, please give me some ideas or point me to the right direction on how to fix this. Thank you very much.



  • No help at all?

    Anybody knows about this problem?



  • The tunnel are up and running correctly?

    "couldn't find the proper pskey, try to get one by the peer's address" Below the technical statement:

    Using ESP/transport/PSK, racoon successfully establishes both an ISAKMP and IPSec SA. At this point, both hosts are able to ping each other.

    Once the ISAKMP-SA expires at the remote host, the remote host attempts to notify the local host that the SA has expired with a notify message. Since the notify message is not encrypted, the local host ignores it.

    Soon thereafter, the IPSec-SA expires at the local host. The local host attempts to a phase 2 negotiation, which fails since the ISAKMP-SA as already expired. Both hosts then go into a loop: the local host trying to establish a phase 2 SA, the remote host trying to tell the local host that the ISAKMP-SA has expired. At this point, IKE should perform a fresh phase 1 negotiation, but this is not taking place.

    As a result, IP connectivity between the hosts is lost as soon as the first IPSec-SA expires.

    Workaround:

    Please test greater lifetimes and different lifetimes for phase 1 and phase 2. Here in the forum you will find a lot of threads about setting the lifetimes….

    Regards
    Heiko



  • Hi Heiko, thank you very much for the detail reply. I will test with greater lifetime and search the forum for better lifetime setting. Thanks again.


Log in to reply