News: This forum is now permanently frozen.
Pages: [1]
Topic: m0n0 > m0n0 VPN: racoon: ERROR: couldn't find configuration.  (Read 4000 times)
« on: February 08, 2010, 17:11:51 »
astronot *
Posts: 5

I have ipsec set up between two sites.  One site is 50Mb fiber, the other 7Mb DSL.  The tunnel is up and working, but on the DSL side the log is getting spammed with the error: racoon: ERROR: couldn't find configuration.  Is this an error I can stop?  Also, NAT-T is *not* enabled in the configuration for this tunnel on either side, why does the log say it is?  I will paste both logs below.

I've replaced the IPs in the logs for security.  00.00.00.00 is the FIBER WAN IP, 11.11.11.11 is the DSL IP.

DSL LOG:
Code:
Feb 8 10:05:33 last message repeated 78 times
Feb 8 09:55:26 last message repeated 87 times
Feb 8 09:45:38 last message repeated 82 times
Feb 8 09:35:38 last message repeated 17 times
Feb 8 09:33:11 last message repeated 5 times
Feb 8 09:32:46 racoon: ERROR: couldn't find configuration.
Feb 8 09:32:37 racoon: INFO: IPsec-SA established: ESP/Tunnel 11.11.11.11[500]->00.00.00.00[500] spi=19113(0x4aa9)
Feb 8 09:32:37 racoon: INFO: IPsec-SA established: ESP/Tunnel 00.00.00.00[0]->11.11.11.11[0] spi=39965745(0x261d431)
Feb 8 09:32:36 racoon: INFO: initiate new phase 2 negotiation: 11.11.11.11[500]<=>00.00.00.00[500]
Feb 8 09:32:36 racoon: INFO: ISAKMP-SA deleted 11.11.11.11[500]-00.00.00.00[500] spi:37eff96923f4183d:797fdecb340dc7b5
Feb 8 09:32:35 racoon: INFO: purging spi=92039367.
Feb 8 09:32:35 racoon: INFO: purging spi=50732932.
Feb 8 09:32:35 racoon: INFO: ISAKMP-SA established 11.11.11.11[500]-00.00.00.00[500] spi:dc01134ea4b113f9:cf94675873702eb1
Feb 8 09:32:35 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 8 09:32:35 racoon: INFO: received Vendor ID: DPD
Feb 8 09:32:35 racoon: INFO: begin Aggressive mode.
Feb 8 09:32:35 racoon: INFO: initiate new phase 1 negotiation: 11.11.11.11[500]<=>00.00.00.00[500]
Feb 8 09:32:35 racoon: INFO: IPsec-SA request for 00.00.00.00 queued due to no phase1 found.
Feb 8 09:32:35 racoon: ERROR: phase2 negotiation failed due to phase1 expired. 37eff96923f4183d:797fdecb340dc7b5:0000b7fe
Feb 8 09:32:27 racoon: INFO: ISAKMP-SA deleted 11.11.11.11[500]-00.00.00.00[500] spi:d6f4d28cfa0efc86:f712eabd90993a92
Feb 8 09:32:26 racoon: INFO: ISAKMP-SA expired 11.11.11.11[500]-00.00.00.00[500] spi:37eff96923f4183d:797fdecb340dc7b5
Feb 8 09:32:26 racoon: INFO: ISAKMP-SA expired 11.11.11.11[500]-00.00.00.00[500] spi:d6f4d28cfa0efc86:f712eabd90993a92
Feb 8 09:32:25 racoon: INFO: initiate new phase 2 negotiation: 11.11.11.11[500]<=>00.00.00.00[500]
Feb 8 09:32:25 racoon: INFO: purged IPsec-SA proto_id=ESP spi=91180580.

FIBER LOG:
Code:
Feb 8 09:31:58 racoon: INFO: IPsec-SA established: ESP/Tunnel 00.00.00.00[500]->11.11.11.11[500] spi=39965745(0x261d431)
Feb 8 09:31:58 racoon: INFO: IPsec-SA established: ESP/Tunnel 11.11.11.11[0]->00.00.00.00[0] spi=19113(0x4aa9)
Feb 8 09:31:58 racoon: INFO: respond new phase 2 negotiation: 00.00.00.00[500]<=>11.11.11.11[500]
Feb 8 09:31:57 racoon: INFO: ISAKMP-SA established 00.00.00.00[500]-11.11.11.11[500] spi:dc01134ea4b113f9:cf94675873702eb1
Feb 8 09:31:57 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 8 09:31:57 racoon: INFO: received Vendor ID: DPD
Feb 8 09:31:57 racoon: INFO: begin Aggressive mode.
Feb 8 09:31:57 racoon: INFO: respond new phase 1 negotiation: 00.00.00.00[500]<=>11.11.11.11[500]
Feb 8 09:31:49 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.1.0/24[0] proto=any dir=out
Feb 8 09:31:49 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.3/32[0] 10.0.0.0/24[0] proto=any dir=out
Feb 8 09:31:49 racoon: ERROR: such policy already exists. anyway replace it: 10.0.1.0/24[0] 10.0.0.0/24[0] proto=any dir=in
Feb 8 09:31:49 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.3/32[0] proto=any dir=in
Feb 8 09:31:49 racoon: INFO: 00.00.00.00[4500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 00.00.00.00[4500] used as isakmp port (fd=15)
Feb 8 09:31:49 racoon: INFO: 00.00.00.00[500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 00.00.00.00[500] used as isakmp port (fd=14)
Feb 8 09:31:49 racoon: INFO: 10.0.10.1[4500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 10.0.10.1[4500] used as isakmp port (fd=13)
Feb 8 09:31:49 racoon: INFO: 10.0.10.1[500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 10.0.10.1[500] used as isakmp port (fd=12)
Feb 8 09:31:49 racoon: INFO: 10.0.0.3[4500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 10.0.0.3[4500] used as isakmp port (fd=11)
Feb 8 09:31:49 racoon: INFO: 10.0.0.3[500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 10.0.0.3[500] used as isakmp port (fd=10)
Feb 8 09:31:49 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Feb 8 09:31:49 racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 8 09:31:49 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Feb 8 09:31:49 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Feb 8 09:31:49 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 8 09:31:49 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 8 09:31:49 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Feb 8 09:31:48 racoon: INFO: racoon shutdown
Feb 8 09:31:47 racoon: INFO: caught signal 15
« Reply #1 on: February 10, 2010, 00:39:39 »
astronot *
Posts: 5

Figured this out.  These firewalls were replacements, while on one end an old pix remained and I forgot to remove the tunnel config there so it was constantly trying to establish with the DSL firewall.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines