From owner-freebsd-questions Mon Sep 2 14: 7:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2EAC37B401 for ; Mon, 2 Sep 2002 14:07:24 -0700 (PDT) Received: from f2.active-area.com (ti131110a080-0265.bb.online.no [80.212.101.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D75843E42 for ; Mon, 2 Sep 2002 14:07:16 -0700 (PDT) (envelope-from kenneth@karoliussen.net) Received: from active-area.com (localhost.active-area.com [127.0.0.1]) by f2.active-area.com (Postfix) with SMTP id DC3E74145; Mon, 2 Sep 2002 23:07:13 +0200 (CEST) Received: from kekar.lunatic ([192.168.1.2]) (SquirrelMail authenticated user kenneth) by www.active-area.com with HTTP; Mon, 2 Sep 2002 23:07:14 +0200 (CEST) Message-ID: <1838.192.168.1.2.1031000834.squirrel@www.active-area.com> Date: Mon, 2 Sep 2002 23:07:14 +0200 (CEST) Subject: "give up to get IPsec-SA due to time up to wait" From: "Kenneth Karoliussen" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I've set up two seperate FreeBSD IPSEC clients (using racoon) toward our VPN Inel Netstructure, routing two different RFC1918 C-nets. Both clients are almost identical in configuration, but one of them does not obtain a proper connection, and seems to fail with the following time out entry in phase2: "give up to get IPsec-SA due to time up to wait" racoon.log (public addresses changed): *snip* 2002-09-02 22:52:30: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode. 2002-09-02 22:52:31: WARNING: isakmp_inf.c:1281:isakmp_check_notify(): ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 2002-09-02 22:52:31: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established XclientaddrX[500]-XvpnaddX[500] spi:c6c6651f642823a9:b061d2bdd67f9c40 2002-09-02 22:52:31: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: XclientaddrX[0]<=>XvpnaddX[0] 2002-09-02 22:52:31: ERROR: proposal.c:489:cmpsatrns(): trns_id mismatched: my:2 peer:3 2002-09-02 22:52:31: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel XvpnaddX->XclientaddrX spi=137162047(0x82ced3f) 2002-09-02 22:52:31: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel XclientaddrX->XvpnaddX spi=1006533165(0x3bfe7a2d) 2002-09-02 22:52:45: ERROR: pfkey.c:738:pfkey_timeover(): XvpnaddX give up to get IPsec-SA due to time up to wait. 2002-09-02 22:52:45: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted XclientaddrX[500]-XvpnaddX[500] spi:302e0ef400930c65:cb04d55e3ed8e717 The other IPSEC client is running without any problem, and I really appreciate any ideas what may be the cause.. Best, Kenneth Karolissen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message