1

Ipsec vpn tunnels got disconnected randomly but when we restart raccon all tunnel will come up again with out any issue.I would like to know a permanent fix for this.

These are the logs:

racoon: ERROR: phase2 negotiation failed due to send error. 4ca6a54e16755b0b:5e5f8815483f5a75:0000abbe
racoon: [Off]: INFO: initiate new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
racoon: ERROR: failed to start post getspi.
racoon: ERROR: phase2 negotiation failed due to send error. 4ca6a54e16755b0b:5e5f8815483f5a75:0000d553
racoon: [Off]: INFO: initiate new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
racoon: ERROR: failed to start post getspi.
dddddd
  • 11
  • 3
  • 6

1 Answers1

2

Looks like what happens when you have a misconfigured PPTP server and a client disconnects. PPTP server should never use a real assigned IP as its server IP.

Chris Buechler
  • 2,938
  • 14
  • 18
  • > Thank your for your reply.I believe pptp is configured correctly.The same configuration worked perfectly only my old pfsesne(1.2.3).One day before i have disabled nat-t and unchecked Prefer older IPsec SAs but still the VPN went down where there is not activity(normally at night). – dddddd Apr 05 '13 at 10:31
  • Here is the logs: racoon: ERROR: failed to begin ipsec sa negotication. racoon: ERROR: phase1 negotiation failed due to send error. 8121c0917ca543ac:0000000000000000 racoon: INFO: begin Aggressive mode. racoon: [Off]: INFO: initiate new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x2[500] racoon: [Off]: INFO: IPsec-SA request for x.x.x.x2 queued due to no phase1 found. racoon: ERROR: failed to begin ipsec sa negotication. – dddddd Apr 05 '13 at 10:36
  • Today i have tired selecting Prefer older IPsec SAs and disabling nat-t.the tunnels are still up(NOT SURE HOW LONG).I noticed one error in the log but the tunnels are up here is the log: racoon: [x.x.x.x2] ERROR: notification INVALID-SPI received in informational exchange. – dddddd Apr 05 '13 at 10:39
  • What's your "Server IP" in the PPTP server? If it's an IP assigned to your firewall anywhere, that's wrong. I'm guessing it's your WAN IP, which it should never be. That's the IP inside the tunnel. – Chris Buechler Apr 10 '13 at 10:16
  • That didn't actually start breaking IPsec until the newer base components in 2.x release versions. It's always been a wrong config, just one that worked by chance. – Chris Buechler Apr 10 '13 at 10:18
  • Chirs -> Thank you for your reply.The PPTP sever ip is the WAN IP itself.Since our ISP provides only one static ip for us and my doubt is that which ip should be given to the PTTP server then? or In order to make the ispec and pptp server working we need multiple WAN ip? – dddddd Apr 10 '13 at 13:44
  • Or if we use an unused lan ip as the PPTP server ip will the pptp work? we have only option to provide our public ip (Wan ip) as the gateway to our clients. – dddddd Apr 10 '13 at 13:57