LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-25-2004, 04:05 AM   #1
hishamiqbal
LQ Newbie
 
Registered: Oct 2004
Posts: 3

Rep: Reputation: 0
Exclamation phase2 negotiation failed due to time up waiting for phase1


Hello,

I have established an IPsec connection between two hosts. (10.1.4.123) <==> (10.1.4.120)

i am using --- ipsec-tools 0.4rc1, Kernel 2.6.8.1. When I run racoon for IKE (pre-shared key) following error is generated. I am using samples configuration fine racoon.conf provided with the source directory of the above ipsec-tools package.
----------------------------------------------------------------------------------------------------------
Foreground mode.
2004-10-25 13:46:39: INFO: @(#)ipsec-tools 0.4rc1
2004-10-25 13:46:39: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003
2004-10-25 13:46:39: INFO: 10.1.4.123[500] used as isakmp port (fd=6)
2004-10-25 13:46:39: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2004-10-25 13:49:45: INFO: IPsec-SA request for 10.1.4.120 queued due to no phase1 found.
2004-10-25 13:49:45: INFO: initiate new phase 1 negotiation: 10.1.4.123[500]<=>10.1.4.120[500]
2004-10-25 13:49:45: INFO: begin Identity Protection mode.
2004-10-25 13:50:16: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.1.4.120->10.1.4.123

--------------------------------------------------------------------------------------------------------------
When i try and do telnet from one machine to other following message is generated :-

telnet: connect to address 10.1.4.120: Resource temporarily unavailable

I am using pre-shared key method and the "psk.txt" files of both the hosts are following:-

[on 10.1.4.123 machine]
# IPv4/v6 addresses
10.1.4.120 password2

[on 10.1.4.120 machine]
# IPv4/v6 addresses
10.1.4.123 password2

The file which defines the SAP (/etc/ipsec.conf) on both machines is as follows:-

[on 10.1.4.123 machine]
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 10.1.4.123 10.1.4.120 any -P out ipsec
esp/transport//require;

spdadd 10.1.4.120 10.1.4.123 any -P in ipsec
esp/transport//require;

[on 10.1.4.120 machine]
#!/sbin/setkey -f
flush;
spdflush;

spdadd 10.1.4.120 10.1.4.123 any -P out ipsec
esp/transport//require;

spdadd 10.1.4.123 10.1.4.120 any -P in ipsec
esp/transport//require;

I have searched alot and read alot of stuff over the web. Nothing seems to fix this problem. Can anyone please help.

Thankx
 
Old 11-16-2004, 02:38 PM   #2
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
I'm not familiar with these tools so I can only offer generic advice.

Phase 1 deals with setting up protections and agreements that will protect the phase 2.

If the server and client do not agree on the phase 1 setup then poof.. it won't work. This may be in main mode or agressive mode.. depending on what your software is trying.

Check that on both the client and server these things are set the same:

1. Hash Algorithm
2. Encryption Algorithm
3. Authentication Methods
4. Diffie-Hellman Group

If these do not agree then no-go.

So if you picked 1. md5, 2. 3des, 3. psk, 4. group 2... then it needs to be set that way on both server and client.

I don't know how to do this using your tools, just that for Internet Key Exchange for IPSec VPNs this is what has to be.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard Drive Problems: timeout waiting for DMA; error waiting for DMA mintee Linux - Hardware 10 09-21-2007 05:06 AM
racoon -- ERROR: phase1 negotiation failed due to time up hishamiqbal Linux - Security 0 10-24-2004 12:43 AM
Due to time out, SCSI bus reset and device offline RX100 Linux - Hardware 3 10-13-2004 09:51 AM
Error USB-HUC on booting due in mdk10 due to mx700 Boudewijn Mandriva 4 10-09-2004 08:36 AM
VPN / IPsec problems - Phase2, timeout tvojvodi Linux - Networking 0 03-04-2004 07:34 PM


All times are GMT -5. The time now is 01:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration