Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-25-2004, 04:05 AM   #1
LQ Newbie
Registered: Oct 2004
Posts: 3

Rep: Reputation: 0
Exclamation phase2 negotiation failed due to time up waiting for phase1


I have established an IPsec connection between two hosts. ( <==> (

i am using --- ipsec-tools 0.4rc1, Kernel When I run racoon for IKE (pre-shared key) following error is generated. I am using samples configuration fine racoon.conf provided with the source directory of the above ipsec-tools package.
Foreground mode.
2004-10-25 13:46:39: INFO: @(#)ipsec-tools 0.4rc1
2004-10-25 13:46:39: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003
2004-10-25 13:46:39: INFO:[500] used as isakmp port (fd=6)
2004-10-25 13:46:39: INFO:[500] used as isakmp port (fd=7)
2004-10-25 13:49:45: INFO: IPsec-SA request for queued due to no phase1 found.
2004-10-25 13:49:45: INFO: initiate new phase 1 negotiation:[500]<=>[500]
2004-10-25 13:49:45: INFO: begin Identity Protection mode.
2004-10-25 13:50:16: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP>

When i try and do telnet from one machine to other following message is generated :-

telnet: connect to address Resource temporarily unavailable

I am using pre-shared key method and the "psk.txt" files of both the hosts are following:-

[on machine]
# IPv4/v6 addresses password2

[on machine]
# IPv4/v6 addresses password2

The file which defines the SAP (/etc/ipsec.conf) on both machines is as follows:-

[on machine]
#!/usr/sbin/setkey -f

spdadd any -P out ipsec

spdadd any -P in ipsec

[on machine]
#!/sbin/setkey -f

spdadd any -P out ipsec

spdadd any -P in ipsec

I have searched alot and read alot of stuff over the web. Nothing seems to fix this problem. Can anyone please help.

Old 11-16-2004, 02:38 PM   #2
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
I'm not familiar with these tools so I can only offer generic advice.

Phase 1 deals with setting up protections and agreements that will protect the phase 2.

If the server and client do not agree on the phase 1 setup then poof.. it won't work. This may be in main mode or agressive mode.. depending on what your software is trying.

Check that on both the client and server these things are set the same:

1. Hash Algorithm
2. Encryption Algorithm
3. Authentication Methods
4. Diffie-Hellman Group

If these do not agree then no-go.

So if you picked 1. md5, 2. 3des, 3. psk, 4. group 2... then it needs to be set that way on both server and client.

I don't know how to do this using your tools, just that for Internet Key Exchange for IPSec VPNs this is what has to be.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard Drive Problems: timeout waiting for DMA; error waiting for DMA mintee Linux - Hardware 10 09-21-2007 05:06 AM
racoon -- ERROR: phase1 negotiation failed due to time up hishamiqbal Linux - Security 0 10-24-2004 12:43 AM
Due to time out, SCSI bus reset and device offline RX100 Linux - Hardware 3 10-13-2004 09:51 AM
Error USB-HUC on booting due in mdk10 due to mx700 Boudewijn Mandriva 4 10-09-2004 08:36 AM
VPN / IPsec problems - Phase2, timeout tvojvodi Linux - Networking 0 03-04-2004 07:34 PM

All times are GMT -5. The time now is 09:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration