Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Couldn't find the proper pskey

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 31.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jle2005
      last edited by

      Hello everyone,

      I'm trying to setup the site-to-site ipsec vpn with static ip addresses on both ends. I managed to get the tunnel up and running and I can ping the workstation from site A to side B and site B to site A. However I keep getting this error message ( racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address) in the IPSEC VPN log. I've attached serveral images for you to look at, please give me some ideas or point me to the right direction on how to fix this. Thank you very much.

      1 Reply Last reply Reply Quote 0
      • J
        jle2005
        last edited by

        No help at all?

        Anybody knows about this problem?

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          The tunnel are up and running correctly?

          "couldn't find the proper pskey, try to get one by the peer's address" Below the technical statement:

          Using ESP/transport/PSK, racoon successfully establishes both an ISAKMP and IPSec SA. At this point, both hosts are able to ping each other.

          Once the ISAKMP-SA expires at the remote host, the remote host attempts to notify the local host that the SA has expired with a notify message. Since the notify message is not encrypted, the local host ignores it.

          Soon thereafter, the IPSec-SA expires at the local host. The local host attempts to a phase 2 negotiation, which fails since the ISAKMP-SA as already expired. Both hosts then go into a loop: the local host trying to establish a phase 2 SA, the remote host trying to tell the local host that the ISAKMP-SA has expired. At this point, IKE should perform a fresh phase 1 negotiation, but this is not taking place.

          As a result, IP connectivity between the hosts is lost as soon as the first IPSec-SA expires.

          Workaround:

          Please test greater lifetimes and different lifetimes for phase 1 and phase 2. Here in the forum you will find a lot of threads about setting the lifetimes….

          Regards
          Heiko

          1 Reply Last reply Reply Quote 0
          • J
            jle2005
            last edited by

            Hi Heiko, thank you very much for the detail reply. I will test with greater lifetime and search the forum for better lifetime setting. Thanks again.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.