phase2 negotiation failed due to time up waiting for phase1

hishamiqbal · 10-25-2004, 04:05 AM

Hello,

I have established an IPsec connection between two hosts. (10.1.4.123) <==> (10.1.4.120)

i am using --- ipsec-tools 0.4rc1, Kernel 2.6.8.1. When I run racoon for IKE (pre-shared key) following error is generated. I am using samples configuration fine racoon.conf provided with the source directory of the above ipsec-tools package.
----------------------------------------------------------------------------------------------------------
Foreground mode.
2004-10-25 13:46:39: INFO: @(#)ipsec-tools 0.4rc1
2004-10-25 13:46:39: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003
2004-10-25 13:46:39: INFO: 10.1.4.123[500] used as isakmp port (fd=6)
2004-10-25 13:46:39: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2004-10-25 13:49:45: INFO: IPsec-SA request for 10.1.4.120 queued due to no phase1 found.
2004-10-25 13:49:45: INFO: initiate new phase 1 negotiation: 10.1.4.123[500]<=>10.1.4.120[500]
2004-10-25 13:49:45: INFO: begin Identity Protection mode.
2004-10-25 13:50:16: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.1.4.120->10.1.4.123

--------------------------------------------------------------------------------------------------------------
When i try and do telnet from one machine to other following message is generated :-

telnet: connect to address 10.1.4.120: Resource temporarily unavailable

I am using pre-shared key method and the "psk.txt" files of both the hosts are following:-

[on 10.1.4.123 machine]
# IPv4/v6 addresses
10.1.4.120 password2

[on 10.1.4.120 machine]
# IPv4/v6 addresses
10.1.4.123 password2

The file which defines the SAP (/etc/ipsec.conf) on both machines is as follows:-

[on 10.1.4.123 machine]
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 10.1.4.123 10.1.4.120 any -P out ipsec
esp/transport//require;

spdadd 10.1.4.120 10.1.4.123 any -P in ipsec
esp/transport//require;

[on 10.1.4.120 machine]
#!/sbin/setkey -f
flush;
spdflush;

spdadd 10.1.4.120 10.1.4.123 any -P out ipsec
esp/transport//require;

spdadd 10.1.4.123 10.1.4.120 any -P in ipsec
esp/transport//require;

I have searched alot and read alot of stuff over the web. Nothing seems to fix this problem. Can anyone please help.

Thankx

bignerd · 11-16-2004, 02:38 PM

I'm not familiar with these tools so I can only offer generic advice.

Phase 1 deals with setting up protections and agreements that will protect the phase 2.

If the server and client do not agree on the phase 1 setup then poof.. it won't work. This may be in main mode or agressive mode.. depending on what your software is trying.

Check that on both the client and server these things are set the same:

1. Hash Algorithm
2. Encryption Algorithm
3. Authentication Methods
4. Diffie-Hellman Group

If these do not agree then no-go.

So if you picked 1. md5, 2. 3des, 3. psk, 4. group 2... then it needs to be set that way on both server and client.

I don't know how to do this using your tools, just that for Internet Key Exchange for IPSec VPNs this is what has to be.