|
||||||||
Hello, When I was looking into the fragmented NAT-T IPsec problem I found what appears to be another problem. If one end of the connection is restarted, the IPsec connection doesn't get rebuilt until the other end is restarted too (disable, then re-enable IPsec in the webUI). From a cold start, the tunnel comes up fine which suggests that everything is OK config-wise. If I remove the NAT device and use normal ESP, then the tunnel gets rebuilt almost immediately if one end is restarted. Below is the log from each side of the tunnel (repeated continually): [log from 192.168.1.2] [machine is behind NAT device, which has WAN address 192.168.0.2] Feb 16 16:03:46 racoon: ERROR: none message must be encrypted Feb 16 16:03:46 racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). Feb 16 16:03:46 racoon: INFO: initiate new phase 2 negotiation: 192.168.1.2[4500]<=>192.168.0.1[4500] Feb 16 16:03:31 racoon: ERROR: 192.168.0.1 give up to get IPsec-SA due to time up to wait. [log from 192.168.0.1] Feb 16 16:00:30 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 16 16:00:19 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, b21854955aaff318:897ed67072581b0b:0000803e Feb 16 16:00:16 racoon: INFO: delete phase 2 handler. Feb 16 16:00:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.0.2[500]->192.168.0.1[500] Feb 16 16:00:16 racoon: INFO: delete phase 2 handler. Feb 16 16:00:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.0.2[500]->192.168.0.1[500] Regards, Kris. |