# Strange Racoon errors

## vad3r

Hi all,

i have a running VPN-Setup between a netscreen 204 and racoon on my laptop. It's working pretty well except for strange log messages i receive from racoon every 10 seconds:

```
May  9 16:59:52 deathstar racoon: INFO: respond new phase 1 negotiation: 172.20.52.224[500]<=>xx.xxx.xxx.xxx[500]

May  9 16:59:52 deathstar racoon: INFO: begin Aggressive mode.

May  9 16:59:52 deathstar racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

May  9 16:59:52 deathstar racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00

May  9 16:59:52 deathstar racoon: INFO: received Vendor ID: DPD

May  9 16:59:52 deathstar racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

May  9 16:59:52 deathstar racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:7

May  9 16:59:52 deathstar racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:7

May  9 16:59:52 deathstar racoon: ERROR: no suitable proposal found.

May  9 16:59:52 deathstar racoon: ERROR: failed to get valid proposal.

May  9 16:59:52 deathstar racoon: ERROR: failed to process packet.

```

Can one of you tell me whats going on?

Thanks 

Daniel

----------

## think4urs11

what encryption/hash-algo settings do you use (on both sides) for Phase 1+2?

----------

## vad3r

3des-sha and aes128-sha on the VPN box and here's my config for racoon:

```
        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

                }
```

----------

## think4urs11

shot in the dark more or less ... is the netscreen configured to use dh-group 7 instead of (correct) 2?

----------

## vad3r

The netscreen uses DH group 2. I have two possible proposals defined on the netscreen but only one in racoon. Can this cause this problem?

----------

## think4urs11

 *vad3r wrote:*   

> The netscreen uses DH group 2. I have two possible proposals defined on the netscreen but only one in racoon. Can this cause this problem?

 

No, either server and client agree on the encryption settings or they don't.

But when looking at the logs it seems as if there is a mismatch between the two somewhere.

Is this tunnel or transport mode? Any other details which could give a clue about the origin of this error?

----------

## vad3r

I'm using tunnel mode. Yesterday something more strange happened:

I startet racoon for my WLAN connection and no erros appeared in the logs. The config was exactly the same even if my source address has changed but thats the only difference to the default configs. Today in the office i'm getting the same errors again.

----------

## think4urs11

do the encryption domains match on both sides? (especially network masks)?

It looks as if phase 1 is sucessful and the error is somewhere within phase 2 settings.

----------

## vad3r

The errors disapperad after reducing the Phase1 proposals in the netscreens config to one. Seems like raoon isn't to happy if there's more than one proposal availible.

Thanks a lot

----------

