Did you enter some dns entry on general settings of the m0n0wall? Otherwise pool.ntp.org can not be
resolved and time isn't synced. Try if you can ping pool.ntp.org under diagnostics>ping.
Von: Pascal Simon [mailto:psi at netway dash solutions dot ch]
Gesendet: Dienstag, 5. April 2005 11:55
An: m0n0wall at lists dot m0n0 dot ch
Betreff: AW: [m0n0wall] IPSec m0n0wall / Zyxel Prestige 653HWI
Thanks for your quick answer.
I will try too do a synchronized reboot of both devices. At the moment I
can't do this, because both systems are in use.
Is it possible that the problem I have s'got something to do with the
m0n0walls systemtime? Because I wasn't able to change it to the right time.
At the moment the systemdate is Jan 1 04:26:26. and it normally must be
nearly Mar 5 11:23:00.
The NTP Time server is set to pool.ntp.org and I also choosed the right
Thank you very much
Von: Vincent Fleuranceau [mailto:vincent at bikost dot com]
Gesendet: Dienstag, 5. April 2005 11:10
An: Pascal Simon
Betreff: Re: [m0n0wall] IPSec m0n0wall / Zyxel Prestige 653HWI
-------- Message original --------
> racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler.
> racoon: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation
> due to time up waiting for phase1. ESP 213.XXX.XXX.XXX->157.XXX.XXX.XXX
That's a typical error when Phase 1 is not ready (main mode takes a lot
of time compared to aggressive) and phase 2 is trying to negotiate.
Try to do a synchronized reboot of both routers. Besides that, I'd use a
1-day (86400 seconds) P1 lifetime value to minimize such annoyances.
I personally reboot both tunnel ends on every Sunday at 4:00 AM. I use
curl and a cron job on a 24/24 running server and use 86400 lifetime
value for Phase 1. This helps to keep IPsec Phase 1 synchronized. In
addition, I use Fred Wright's pinger kludge to trigger the IPsec tunnel
at boot time. Tell me if you're interested.
You have to be aware that IPsec and racoon's implementation in
particular is not perfect. For example, if you have to reboot one
router, you can't be 100% sure the tunnel will re-establish quickly...
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Virus checked by G DATA AntiVirusKit