[ previous ] [ next ] [ threads ]
 From:  "Josh Simoneau" <jsimoneau at lmtcs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  FW: [m0n0wall] forcing IPsec tunnel to start
 Date:  Sat, 15 Oct 2005 13:18:46 -0400
For the most part, the tunnel needs to be initiated by some traffic. Send a ping across to the other
end. Generally the first ping or two will time out, and then the rest will go through. This is
normal when a tunnel is initially down.

The tunnel will likely time out after enough idle time, as well. If you want to keep the tunnel up,
you will have to keep sending traffic through. Some people just schedule a quick ping every few
minutes. Make sure the Phase1 and Phase2 negotiation time values match on either side. I have found
that generally Phase1 should be longer than Phase2, although some documents say otherwise. 

Josh Simoneau
Janitor & CEO
Pen Island Pens, Inc

-----Original Message-----
From: Erik Anderson [mailto:erikerik at gmail dot com]
Sent: Sat 10/15/2005 1:39 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] forcing IPsec tunnel to start
I've started playing around w/ getting a VPN established between my
m0n0 box (v1.2) and a Cisco 3020 VPN concentrator.   The tunnel
started trying to bring itself up once, and got a few messages in the
syslog, but got the following error message:

racoon: WARNING: ipsec_doi.c:3082:ipsecdoi_checkid1(): ID value mismatched.

I changed the Phase1 mode from aggressive to main on both ends of the
tunnel to see if that made a difference.  Since then, I have seen
*zero* logs on either end indicating any IPsec traffic.

Is there a way to force the tunnel to come up, or do I just have to wait?

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch