On Sat, Jul 17, 2010 at 10:55 AM, Paul Peziol <[email protected]> wrote:
> I do have a dynamic ip but have set the tunnels with dyndns. Verified the > ip thats in the logs to make sure it matches the current ip. > > It's looking like it is not even getting past phase 1 negotiation with the other site. You might have done this already, but make sure that your negotiation modes (aggressive or main) match on both devices, and that the other settings like your DH key group, encryption algorithm, and hash algorithm match as well. > On Sat, Jul 17, 2010 at 9:43 AM, Jesse Vollmar <[email protected]> wrote: > >> On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol <[email protected]>wrote: >> >>> Have a site-site tunnel between home and work. Had issues getting the >>> tunnels to work initially. Once they were up they were stable for a few >>> weeks. Rebooted the home router this morning and the tunnel does not come >>> back up. Went into IPSEC and re-saved the tunnels and still does not come >>> up. Get this error >>> >>> ERROR: phase2 negotiation failed due to time up waiting for phase1 >>> >>> Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: >>> HOME WAN[500]<=>OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin >>> Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing >>> IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[] >>> *: ERROR: phase2 negotiation failed due to time up waiting for phase1. >>> ESP OFFICE WAN[0]->HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete >>> phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation >>> failed due to time up. dd42e11e42fc3dcb:0000000000000000 >>> Puzzled why it would work until a reboot. IPSEC status shows *No IPsec >>> security associations.* >>> I tried to delete the tunnels under SPD, resave the ipsec settings. The >>> spd gets recreated but still no tunnel and the above messages. >>> * >>> >>> * >> >> You say between home and work. Is it possible that you have a dynamic IP >> at home and a reboot of your modem pulled down a new IP address? This could >> potentially have disrupted the IPSec tunnel. >> >> >
