# IPsec phase2 timeout [SOLVED]

## iarwain

Hi, I'm trying to connect to my work firewall with racoon, but it fails in the phase 2.

My ip addresses are the following:

LOCAL_IP_HOME=192.168.1.7

LOCAL_NET_WORK=192.168.102.0/23

PUBLIC_IP_WORK=230.230.230.230

This is the output of running "racoon -F -f /etc/racoon/racoon.conf":

```
 Foreground mode.

2007-04-03 23:25:45: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)

2007-04-03 23:25:45: INFO: @(#)This product linked OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/)

2007-04-03 23:25:45: INFO: 192.168.1.7[4500] used as isakmp port (fd=8)

2007-04-03 23:25:45: INFO: 192.168.1.7[4500] used for NAT-T

2007-04-03 23:25:45: INFO: 192.168.1.7[500] used as isakmp port (fd=9)

2007-04-03 23:25:45: INFO: 192.168.1.7[500] used for NAT-T

2007-04-03 23:26:01: INFO: IPsec-SA request for 230.230.230.230 queued due to no phase1 found.

2007-04-03 23:26:01: INFO: initiate new phase 1 negotiation: 192.168.1.7[500]<=>230.230.230.230[500]

2007-04-03 23:26:01: INFO: begin Aggressive mode.

2007-04-03 23:26:02: INFO: received Vendor ID: DPD

2007-04-03 23:26:02: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2007-04-03 23:26:02: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2007-04-03 23:26:02: INFO: Hashing 192.168.1.7[500] with algo #2 

2007-04-03 23:26:02: INFO: NAT-D payload #-1 doesn't match

2007-04-03 23:26:02: INFO: Hashing 230.230.230.230[500] with algo #2 

2007-04-03 23:26:02: INFO: NAT-D payload #0 verified

2007-04-03 23:26:02: INFO: NAT detected: ME 

2007-04-03 23:26:02: INFO: KA list add: 192.168.1.7[4500]->230.230.230.230[4500]

2007-04-03 23:26:02: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.

2007-04-03 23:26:02: INFO: Adding remote and local NAT-D payloads.

2007-04-03 23:26:02: INFO: Hashing 230.230.230.230[4500] with algo #2 

2007-04-03 23:26:02: INFO: Hashing 192.168.1.7[4500] with algo #2 

2007-04-03 23:26:02: INFO: ISAKMP-SA established 192.168.1.7[4500]-230.230.230.230[4500] spi:2ec9c07c5874fdbf:5d48227c555f2ac2

2007-04-03 23:26:02: INFO: initiate new phase 2 negotiation: 192.168.1.7[4500]<=>230.230.230.230[4500]

2007-04-03 23:26:02: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).

2007-04-03 23:26:32: INFO: IPsec-SA expired: ESP/Tunnel 230.230.230.30[0]->192.168.1.7[0] spi=190156790(0xb558ff6)

2007-04-03 23:26:32: WARNING: the expire message is received but the handler has not been established.

2007-04-03 23:26:32: ERROR: 230.230.230.30 give up to get IPsec-SA due to time up to wait
```

As you can see: ERROR: 230.230.230.30 give up to get IPsec-SA due to time up to wait

My racoon.conf:

```

path pre_shared_key "/etc/racoon/psk.txt" ;

listen

{

  isakmp 192.168.1.7[500];

  isakmp_natt 192.168.1.7[4500];

}

remote 230.230.230.230

{

  exchange_mode aggressive ;

  nat_traversal on;

  my_identifier user_fqdn "my@fqdn.com" ;

  lifetime time 28800 sec ;

  proposal {

    encryption_algorithm 3des;

    hash_algorithm sha1;

    authentication_method pre_shared_key ;

    dh_group 2 ;

  }

}

sainfo address 192.168.1.7/32 any address 192.168.102.0/23 any

{

  pfs_group 2 ;

  lifetime time 3600 sec ;

  encryption_algorithm 3des ;

  authentication_algorithm hmac_sha1 ;

  compression_algorithm deflate ;

}

```

And /etc/ipsec.conf:

```
flush;

spdflush;

spdadd 192.168.1.7 192.168.102.0/23 any -P out ipsec esp/tunnel/192.168.1.7-230.230.230.230/require;

spdadd 192.168.102.0/23 192.168.1.7 any -P in ipsec esp/tunnel/230.230.230.230-192.168.1.7/require;
```

Any comments would be highly appreciated. Thank you.Last edited by iarwain on Mon May 28, 2007 8:56 pm; edited 1 time in total

----------

## jpl888

In the absence of anyone else giving you a sniff. I will tell you what I do.

Use OpenSWAN instead.

If you want more help tell me what the first and second phase encryption should be to connect to the other end of the tunnel.

It might also help if you can tell me what it is e.g. Cisco PIX whatever.

----------

## iarwain

Thanks for answering jlp888.

I have no problem in switching to OpenSWAN, as long it doesn't require any changes in the firewall (I don't have access to it). This is the required information:

* Local home IP: 192.168.1.7

General

* Destination network: 192.168.102.0 / 23

* Remote Gateway: 230.230.230.230 (external IP)

* IP Virtual Adapter: 192.168.103.101

* NAT-T: yes.

Phase 1

* My identity: user@mydomain.com

* Authentication: Preshared key

* Preshared key: secretkey

* Mode: Aggressive

* DH Group: 2

* Encryption: 3des

* Authentication/Signature: HMAC-sha

* SA-Life: 28800

Phase 2

* PFS, DH Group: 2

* Replay protection: yes

* Encryption: 3des

* Authentication/Signature: HMAC-sha

* SA-Life: 3600

Right now I can't remember the firewall's brand (It's not a Cisco, though), I'll post it as soon as I know it (tuesday).

----------

## jpl888

To get you started here is my "/etc/ipsec/ipsec.conf"

```
conn myconnection

        left=*.*.*.*

        leftnexthop=*.*.*.*

        leftsubnet=*.*.*.*/24

        right=*.*.*.*

        rightnexthop=*.*.*.*

        rightsubnet=*.*.*.*/32

        ike=3des-md5-modp1024

        esp=3des-md5-96

        pfs=no

        authby=secret

        auto=start
```

Note:- I am authorising by pre-shared key which is stored in "/etc/ipsec/ipsec.secrets"

If my memory serves me it sound like you phase 1 and phase 2 encryption are the same as in the tunnel I'm using, so those "ike" and "esp" settings will probably work for you.

Look in "/var/log/auth.log" to see is the tunnel setup properly.

----------

## iarwain

It works!

After several weeks trying different solutions, I've finally been able to connect with Racoon. In case someone's interested in the config files, here they are:

1) /etc/racoon/racoon.conf

```
path pre_shared_key "/etc/racoon/psk.txt" ;

listen

{

  isakmp 192.168.1.7[500];

  isakmp_natt 192.168.1.7[4500];

}

remote 230.230.230.230

{

  exchange_mode aggressive ;

  nat_traversal on;

  my_identifier user_fqdn "user@host.com" ;

  lifetime time 28800 sec ;

  proposal {

    encryption_algorithm 3des;

    hash_algorithm sha1;

    authentication_method pre_shared_key ;

    dh_group modp1024 ;

  }

}

sainfo address 192.168.1.7 any address 192.168.102.0/24 any

{

  pfs_group modp1024;

  lifetime time 3600 sec ;

  encryption_algorithm 3des ;

  authentication_algorithm hmac_sha1 ;

  compression_algorithm deflate ;

}
```

2) /etc/racoon/psk.txt

```
230.230.230.230 secret
```

3) /etc/ipsec/ipsec.conf

```
flush;

spdflush;

spdadd 192.168.1.7 192.168.102.0/24 any -P out ipsec

esp/tunnel/192.168.1.7-230.230.230.230/require;

spdadd 192.168.102.0/24 192.168.1.7 any -P in ipsec

esp/tunnel/230.230.230.230-192.168.1.7/require;
```

It probably can be configured with OpenSWAN too, for sure. But I haven't found a successful configuration.

----------

