I have had a site2site ipsec vpn working for years, but we changed the internet connection on one side today. I tried updating the ipsec settings in m0n0 accordingly, but the ipsec tunnel does not come up anymore. How can I debug this issue?
This is my config on each side:
----------------------SIDE A
$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 84.199.108.123 {
exchange_mode main;
my_identifier fqdn "wlict.be";
peers_identifier address 84.199.108.123;
initial_contact on;
support_proxy on;
proposal_check obey;
dpd_delay 60;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 172.16.12.0/24 any address 172.16.8.0/22 any {
encryption_algorithm blowfish,cast128,rijndael;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
pfs_group 2;
}
----------------------SIDE A
$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 62.213.199.199 {
exchange_mode main;
my_identifier fqdn "wlict.be";
peers_identifier address 62.213.199.199;
initial_contact on;
support_proxy on;
proposal_check obey;
dpd_delay 60;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 172.16.8.0/22 any address 172.16.12.0/24 any {
encryption_algorithm blowfish,cast128,rijndael;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
pfs_group 2;
}
And the log files keep showing this:
Nov 30 11:46:52 racoon: ERROR: couldn't find configuration.
Nov 30 11:47:00 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Nov 30 11:47:02 racoon: ERROR: couldn't find configuration.
Nov 30 11:47:09 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.199.108.123[500]->62.213.199.199[500]
Nov 30 11:47:09 racoon: INFO: delete phase 2 handler.
Nov 30 11:47:10 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Nov 30 11:47:11 racoon: ERROR: couldn't find configuration.
Nov 30 11:47:16 racoon: ERROR: phase1 negotiation failed due to time up. 5d832b765a65a351:0000000000000000
Nov 30 11:47:19 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.199.108.123[500]->62.213.199.199[500]
Nov 30 11:47:19 racoon: INFO: delete phase 2 handler.
Nov 30 11:47:22 racoon: INFO: IPsec-SA request for 84.199.108.123 queued due to no phase1 found.
Nov 30 11:47:22 racoon: INFO: initiate new phase 1 negotiation: 62.213.199.199[500]<=>84.199.108.123[500]
Nov 30 11:47:22 racoon: INFO: begin Identity Protection mode.
Nov 30 11:47:31 racoon: INFO: phase2 sa expired 62.213.199.199-84.199.108.123
Nov 30 11:47:31 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Nov 30 11:47:32 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.199.108.123[500]->62.213.199.199[500]
Nov 30 11:47:32 racoon: INFO: delete phase 2 handler.
Nov 30 11:47:32 racoon: INFO: phase2 sa deleted 62.213.199.199-84.199.108.123
Nov 30 11:47:38 racoon: ERROR: couldn't find configuration.
Nov 30 11:47:43 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 84.199.108.123[500]->62.213.199.199[500]
Nov 30 11:47:43 racoon: INFO: delete phase 2 handler.
Nov 30 11:47:43 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Nov 30 11:47:48 racoon: ERROR: couldn't find configuration.
How can I further investigate this? I do not understand the logs completely, but it seems that pase1 is not coming up...
|
Topic: site2site vpn not working - how to debug?